This business we choose. It seems so straightforward from the outside looking in. From a distance it looks like security’s job is “Protect all the civilians". It’s hard to understand the real job until you spend some time in it. Once you do, you start to learn that your job isn’t to protect everything at all costs, and ensure nothing bad ever happens. It’s to make sure the organization can be as successful as possible, while it navigates its way through a landscape full of risk.
Good Security Leaders know this journey requires a robust security posture. But how we pursue that posture can make all the difference in building a resilient, security-conscious organization.
The concept of "Social Work, Not Law Enforcement" emphasizes building relationships, trust, and open communication instead of rigidly enforcing rules. It's a mindset that, when embraced, can profoundly impact how we approach our roles.
Old and Busted: Security as Enforcers
Traditionally, security teams have often taken a "top-down" approach – focused on technical controls, policies, and the consequences of non-compliance. This model emphasizes control and indirectly assumes users are obstacles to be managed. While there's a need for some baseline rules, over-indexing on this approach can foster an adversarial environment, breeding distrust between security and the broader organization.
New Hotness: Security as Educators and Collaborators
A "Social Work, Not Law Enforcement" approach turns the old model around. Here's what this means in practice:
Understanding Motivations: Instead of assuming users are trying to subvert security, understand their work needs and challenges. Why might someone be tempted to work around controls? Do we need new controls or just some small adjustments? Empathy is key.
Education, Not Punishment: Focus on collaborative education rather than solely focusing on punitive measures after incidents. Make security training engaging and relatable to different roles. But, remember, it’s safe to assume not everyone is as technical as your team, don’t assume everyone is stupid.
Partnership, Not Policing: Cultivate partnerships across the organization. User and Business groups that feel supported and understood are more likely to become security allies.
Building Trust: Transparency is critical. When something does go wrong, lead debriefings, share information, and focus on solutions, not blame. Users should feel comfortable reporting incidents without fear of reprisal. People afraid of losing their job won’t ask for help much less quickly than those that know the help comes without judgement.
The Social Work Mindset
Adopting a relationship-centric approach brings significant advantages:
Reduced “Surprises”: When people are motivated to work with security early and less likely ignore problems or seek risky workarounds.
Improved Risk Management: Trust makes users more likely to report issues quickly, minimizing their potential impact.
Decreased Costs: Strong relationships with your partners means fewer expensive solutions to surprise problems.
Promote collaboration over control, empower teams to become educators, and invest in security training that prioritizes real-world relevance to users. Most importantly, model the behavior you want to see by building trust throughout the organization.
This shift Isn’t for everyone and It can’t happen overnight. Be patient, communicate the vision relentlessly, and celebrate successes along the way. By prioritizing relationships over rigid rules, security teams can evolve from gatekeepers to true allies across their organizations