Chapter 3. SCE versus Security Theater—Getting Drama out of Security

No one disputes that the security of our data and systems is important. So why are security goals often rendered secondary to other goals? Traditional security programs commonly add friction to work being conducted (beyond just software development!), requiring organizational users to jump through extra hoops to achieve their goals. Security thereby serves as a gatekeeper—whether requiring user interaction with security tools for account access or making their rubber stamp essential in approving software releases. Of course, businesses need to make money, so anything standing in the way of making widgets or delivering services to customers is, quite understandably, placed at a lower priority.

The solution seems simple—just ensure security programs are enabling the business rather than slowing it down! But, as with many things in life and in technology operations, it’s far easier said than done. Some compliance requirements, such as access controls stipulated by the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA), are nonnegotiable if an organization wants to avoid fines and reputational damage. There can be ethical judgments—like preserving privacy over monetizing as much user data as can be collected—that are also irreconcilable. However, the constraints espoused as valuable by traditional security programs are often artificial in nature—a ...