CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Risk Management

Flexibility vs. Security – A False Choice

 Striking a Balance Between Security and Flexibility is Crucial

 Striking a Balance Between Security and Flexibility is Crucial

Over the last twenty or so years I’ve been a part of a lot of different environments. Companies as small as three people, to one of the world’s largest and most complex enterprises – all unique in their own way. The way they each handled security was fairly unique as well. Beyond the obvious “Did they take it seriously?” question, was the all important question of how they achieved balance. The type of balance I’m referring to was between flexibility and security. Organizations that figure out the balance flourished, while those who failed struggled.

For the record, I do not believe you can’t have both flexibility and security. I do believe, however, that you must compromise. Absolute flexibility, or absolute security, while they may appear appealing are ultimately bad. When you think about it, completely secure environments are often unusable. A similar thing can be said about complete flexibility. Those types of environments are virtually impossible to secure.

So we look for a balance. But that balance often proves to be elusive. Some companies require highly secure environments. Others require high degrees of flexibility to support the workforce. Providing one while maintaining a reasonable level of the other is no small feat. Security professionals work hard to find that balance. But the secret to this balance is the word reasonable. Often we as security professionals aren’t reasonable. Our colleagues on the business side of the table aren’t immune to this either. So again, we seek balance.

As a security professional you should remember three key things to guide you:


1. You support the business mission

2. Productivity often trumps any and all security requirements if forgotten

3. Security is never an absolute

Advertisement. Scroll to continue reading.

That said, let me lay out some useful strategies for striking a flexibility – security balance.

First, understand your organization’s appetite for risk. I know risk is a massively over-used word in security. I also know many security professionals use it incorrectly. The point is that you must understand where the limits are. I don’t believe there is a magic formula or template for this activity. You simply have to figure it out. Talking to your enterprise risk team generally helps. The point is don’t decide this on your own.

Second, understand how your business or organization operates. What are the driving processes? What level of autonomy are employees given? What are the regulatory pressures and responsibilities? These are key inputs into your balancing strategy. 

Finally, understand your own resources and capabilities. How much control a security team can exert over an organization is directly proportional to it’s ability to execute. Even a small team with good operational processes can handle the workload that tight control requires. However, take operational capability away and control is at best an illusion.

Bottom line, if you’re not careful, security becomes a hinderance and a target. Where security leaders create inflexible environments, security tends to struggle. High levels of flexibility, supported by good operational processes, can drive good security. It’s all a matter of how you define your strategy.

As an example, let’s take something we’re very familiar with. Security organizations have historically added a significant amount of lead time to projects. What I mean is that when a project called for compute resources, security teams typically were a big part of the timeline. It was, and in some cases still is, common for security take up to 20% of the project timeline to “add security”. That is simply unacceptable. Where security was inflexible developers and project owners turned to a predictable outcome. Development teams turned to the cloud to bypass security.

So the lesson here is that security teams must focus on flexibility. Where flexibility fails, security often follows suit. Striking a balance between security and flexibility is crucial.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...