Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Management & Strategy

What the Segway Can Teach Us About Information Security

Segway Human Transporters

The Segway Can Offer More Security Insight Than You Might Realize

Segway Human Transporters

The Segway Can Offer More Security Insight Than You Might Realize

According to Wikipedia, “The Segway PT (originally Segway HT) is a two-wheeled, self-balancing personal transporter by Segway Inc. It was invented by Dean Kamen and brought to market in 2001. HT is an initialism for ‘human transporter’ and PT for ‘personal transporter’.”

Most of us are likely familiar with the idea of the Segway, though fewer of us have probably tried riding one.  That was certainly true of me – up until very recently.  A few weeks ago, I tried riding a Segway for the very first time.

At the risk of an abrupt segue and a poor excuse for a Dad joke, what does a Segway have to do with information security?  Further, what can the Segway teach us about our field and improving our respective information security postures? I would argue that the Segway can offer us more security insight that we might initially realize.  It is in this spirit that I offer five ways in which a Segway can instruct us as to how to improve our security programs and security postures.

1. Self-balancing:  If you’ve ridden a Segway, you know that it takes a few minutes to learn how to control and steer it.  Until you get used to the fact that it self-balances, it feels a bit strange to lean forward and background, almost like doing so will cause you to fall.  Once you get the hang of the Segway, however, it’s actually quite intuitive and easy to operate.  In the same way, we need to build our security programs to be self-balancing, intuitive, and easy to operate.  We need to pay the appropriate amount of attention to all of our functional areas and programs, regardless of how much or little they interest us.  If we begin to neglect a particular area or one area begins missing the mark, we need to make adjustments.  We want our security program to be attuned enough to pick up on the change immediately and, at the same time, resilient enough to address it right away.  Otherwise, we run the risk of our efforts running astray and off-course far too easily.

2. Continually adjusting:  Not surprisingly, a self-balancing device like the Segway will need to continually measure, assess, and adjust its positioning to maintain stability and usability.  The same is true of a security program.  First and foremost, meaningful metrics that measure how the security team is mitigating, minimizing, and managing the risks and threats to the organization are required.  This is an area that remains a challenge across our industry as a whole.  But it is an investment that pays a high yield.  The measurements we receive from quality metrics allow us to more easily assess our progress and performance.  That, in turn, allows us to adjust as necessary, continually correcting and adjusting our course to ensure we stay on track toward meeting our goals.

3. Carefully tuned:  A Segway is a well-engineered, mature product.  All components of the Segway serve a purpose and are carefully tuned to meet expectations.  The same is true of a security program.  In order for a security program to be effective, it needs to be well-engineered and mature.  That starts at the top – with the support, guidance, and leadership of security executives and the business.  A strategy and vision should be articulated, documented, and communicated.  Buy-in from customers, partners, executives, the board, and other stakeholders should be gathered.  From there, each functional area within the security team should be responsible for properly implementing and operating its area of the vision and strategy.  This requires good leadership in each area, along with the right people, process, and technology.  Gaps should be identified and addressed continually, to ensure that the program continues in an ever-maturing direction.

Advertisement. Scroll to continue reading.

4. Easy to use:  Operating a Segway is extremely easy.  This is by design, of course.  Working with the security team ought to be the same.  Security can’t be the department of “no”.  Obviously, operating the business securely is of the utmost importance.  But the key word in that sentence is the word “operating” – at the end of the day, the job of the business is to run itself.  A good security team has invested in building and maintaining relationships across the business.  Further, that same good security team has figured out how to work collaboratively with the business to help it operate more securely without being the department of “no”.  Making security more user-friendly to the business encourages the business to incorporate security from the beginning.  That, in turn, results in a more secure business, rather than a less secure one.

5. Fun: No discussion of the Segway would be complete without mentioning how fun it is to ride one.  At the end of the day, no matter how sophisticated, how impressive, and how advanced a product is, if it isn’t fun for the end-user, it’s going to be hard for it to have mass appeal.  As we look at ourselves as a profession, we can take a lesson from this.  There are many bright, talented, and experienced security professionals. There are many security teams with advanced and mature capabilities. But what we as a profession don’t have is the ability to connect with the broader world that’s out there.  Okay, security may never be as fun as a Segway. That being said, we don’t need to remain an obscure and misunderstood profession. What’s stopping us from clearly communicating some of the principles and knowledge that drive us as security professionals to a broader audience in terms that they can understand and relate to? I’ve always believed that if we can promote security in terms that the broader world can understand and relate to, we stand a chance at making a difference.  The power to create a more secure world, it seems, is in our hands.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.