Connect with us

Hi, what are you looking for?


Management & Strategy

Want Better Security? Be a Pragmatist.

I’ve always considered myself a pragmatist.  Perhaps not surprisingly, I have also always been a big fan of pragmatism.  I guess one goes along with the other.  A pragmatist is defined as “a person who is oriented toward the success or failure of a particular line of action, thought, etc.; a practical person.” 

I’ve always considered myself a pragmatist.  Perhaps not surprisingly, I have also always been a big fan of pragmatism.  I guess one goes along with the other.  A pragmatist is defined as “a person who is oriented toward the success or failure of a particular line of action, thought, etc.; a practical person.”  Aside from being a useful worldview, I would argue that being a pragmatist is the only way to improve the security posture of an organization.  How can I make such a statement?  Allow me to explain.

Before diving into this topic, perhaps it makes sense to begin by examining the portion of the definition that reads “oriented toward the success or failure of a particular line of action”.  To put it another way, a pragmatist is someone who focuses primarily on successfully achieving a desired goal or a desired outcome.  As many of us are aware, this almost always involves working collaboratively with others, making compromises, hard choices, difficult decisions, and perhaps most importantly, not being an ideologue.  Achieving gains in any field involves stepping away from ideology, and security is no exception.  The focus shifts from one of doing things a certain way to one of achieving a successful outcome, even if it necessitates reasonable concessions that may feel a bit uncomfortable initially.

I’d like to help illustrate this concept through an example.  Recently, I observed a discussion on security improvements to a publicly facing portal between several different people from various different places around the security community.  The person responsible for the security improvements decided to share some details around steps that were taken to improve authentication to the portal, as well as its overall security.  The details shared also included issues and challenges that were encountered, along with how they were addressed.  To my surprise, what was shared was met with a chorus of complaints and criticisms, rather than praise, from many in the group.

Actually, now that I think about it a bit more, I don’t know why I was surprised at all by this reaction.  Not because I agree with the reaction, but rather, because I should know better by now.  Sometimes it seems like the security field is dominated by ideologues, even though I know that the silent majority of practitioners is out there listening.  Perhaps it was naive of me to expect a room full of ideologues to understand the business side of things that the brave practitioner needed to grapple with.  It is true that those of us that make real-world decisions also have to make real-world compromises.  But, in our defense, we are focused on the end goal of improving security.  We can’t always control every detail of how that gets done in the end, and we can’t always have everything exactly the way we want it.  I don’t see this as a negative, but instead, as a big positive.

To understand this a bit better, let’s return to the example of the publicly facing portal discussed above.  In this specific case, the company running the portal is, understandably so, extremely sensitive to the customer experience.  In highly competitive industries, companies strive to find creative ways to beat out the competition.  Ease of use for a customer is just one of the many different points that companies compete on.  Given the pressure on the business, the revenue from which funds security, it’s easy to see how being an ideologue just won’t work here.  Perfect security on the portal is never going to happen.  So, let’s boil it down to its essence.  The security professional faces two choices:

1. Be a pragmatist, work collaboratively with the business to understand constraints and priorities, and focus on how security can be improved within that framework, or…

2. Be an ideologue, don’t seek to understand the constraints and priorities of the business, and demand changes that will not fit within the framework that the business is operating in.

Advertisement. Scroll to continue reading.

Which approach do you think will land better results?

Whether we’re working on securing an enterprise, looking to gain visibility and response capability during a move to the cloud, trying to make software more secure, improving the security of web applications, building a security operations and incident response program, or any of the other important undertakings in the security field, we need to work as a partner and an advisor to the business.  Time and time again, this has shown itself to be the only proven way to make progress toward the end goal of improving the organization’s security posture.

The modern security practitioner needs to be a pragmatist that works with the business to improve security without negatively impacting the business.  Now, more than ever before.  Or, to put things a bit differently:  What has two or three decades of ideology gotten us?  Has it motivated the majority of organizations to proactively identify vulnerabilities and close those holes?  No.  Has it motivated the majority of organizations to continuously monitor for intrusions and prepare to investigate and respond to them?  No.  Has it reduced the number of breaches and put a stop to the theft of sensitive, confidential, and proprietary information?  No. 

We’ve been so busy with ideology that we’ve forgotten to focus on what’s important — our end goals and the outcomes we desire.  Most business people understand risk mitigation quite well.  You’d be surprised what happens when you work collaborat
ively with the business.  Educating the business about the risks and threats they face and constructively helping them to work towards mitigating those risks and threats has been repeatedly proven to improve security in practice.  Despite this, we seem to have become the profession of no, mocking all those who make difficult choices and work collaboratively with the business.  That has to change if we’re going to have any long-term impact and success. 

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.