Security shouldn’t be the department of “No”.

In Culture & Diversity, Cyber Security, Leadership by Endre Walls

It’s our job to understand what users need, and to make sure they can do their jobs with our help. But instead, cyber security teams have won the reputation of trying to block business requests rather than develop methods and technologies to facilitate them.

Businesses aren’t static, and neither are threats. Organizations have to adapt to change if they want to remain relevant and flourish, and we have to adapt to those changes, too, because we don’t do security for security’s sake. We’re there to serve a business, and we have to think in business terms.

It’s important, then, for people to realize that security is not about gates. It’s not the place where “no” comes from, but where innovation happens to enable businesses to grow and operate in the most secure way possible. They can’t be locked down to a point where no one can operate.

So when I’m talking to different CISOs and CIOs, I try to remind them that the best security departments are fire departments, and not police departments.

The work fire departments do is proactive. They hand out smoke alarms, they educate about fire safety, they carry out inspections, and minimize risk for people as much as possible. They focus on prevention, and when there is a fire, they act to minimize damage to the structure and ensure they can put out that fire as quickly as possible, because fires do happen. 

The work police departments do is enforcement, not prevention. They’re about doing what the law says, how do we enforce it, and who gets put in jail. It’s not the kind of proactive work that firefighting is.

I have always preached that security departments should never be police departments. The job should never be about enforcing policy. The job should never be about telling people “no.” I feel it’s counterculture. I also feel that people tend to push back when you create that kind of environment.

It’s my belief that security departments can and should transition themselves from police departments to proactive firefighting units focused on ensuring people understand risk, are educated, and can prevent fires from happening.

I do “fire” drills with individual units at least twice a year, in addition to an annual companywide tabletop exercise. In 2019, that exercise happened to revolve around a pandemic, specifically an ebola outbreak. So when the U.S. government announced a lockdown the following year after Covid-19 began whipping around the world, there was a process in place and everyone was prepared, because we had drilled.

People ask me how large our security department is. My answer is whatever number of employees we have in the company as a whole.

But it’s not only about training employees. It’s also about bringing in the customers, too. I believe if every industry got more involved with customers, then we would have fewer breaches, and more reliance on people’s information and confidence.

Now, breaches will happen, just as fires will break out. But the goal is to provide as much proactive protection to the organization as possible so when those fires occur, you can prevent the destruction of the structure.

If you look at some of the large-scale breaches recently, a hacker was in the company’s environment for several months. If those companies had taken on the firefighter methodology, these hackers could have been tackled earlier.

So I urge you to start handing out those smoke detectors. Thinking of ourselves as the Smokey the Bears of security will go a long way toward achieving our goals.


(Originally posted on Security Current)