Overcoming Security Obstructionism

When I think about Security Obstructionism, a term I love coined by Kelly Shortridge, I picture a set of tools and strategies in the security world that, ironically, seem more focused on slowing things down than actually bolstering security.

It’s like when organizations become that notorious “Department of No,” where every innovative idea hits a security roadblock. And what’s the main drive behind this? Surprisingly, it’s not always about achieving top-notch security for the company or its users.

Instead, it feels like it’s more about churning out security tasks and metrics to show “progress.” This, in a way, gives the security team a tighter grip on the organization, boosting their influence and standing.

Here is just a brief look at all the SecObs things we routinely do as security departments courtesy of Kelly’s blog:

Security Obstructionism

But why? Why do we, time and again, fall into this trap, becoming the very “Department of No” we once vowed to avoid?

Let’s dive into the psychological underpinnings that drive us towards SecObs behaviors. From our innate need for control to the allure of power and status.

I believe introspection is the first step towards change. By recognizing and confronting these mental roadblocks, we can chart a path forward, one where we truly get out of our own way and champion genuine security advancements.

The Human Need for Control

Control can be intoxicating. Certain corpses currently clinging to political power come to mind. And security professionals? Oh, we’re no different. In fact, some might argue we’ve turned the desire for control into an art.

Throughout history, from the great empires to modern corporations, the need to control has been a driving force. I’ve worked for managers throughout my career who believed that every decision, every move, had to pass through them. Why? Because they knew best, of course. Or so they thought.

This would only ever change after a series of humbling experiences made them realize this incessant need for control was not only detrimental to the team but also to their own growth.

But let’s circle back to SecObs. When security professionals feel they’re losing their grip, what do they do? They tighten the reins, often to the point of suffocation. It’s a classic reaction, really. Perceived loss of control leads to increased obstructionist behaviors.

It’s as predictable as my Aunt Gertrude’s criticism of my tattoos at family gatherings. And just as unwelcome.

The irony? In our quest for control, we often end up losing it entirely. By becoming the proverbial “Department of No,” we alienate our peers, stifle innovation, and, in some tragic cases, become the very security risk we sought to mitigate. A twist of fate, wouldn’t you say?

In-group vs. Out-group Dynamics

The age-old tale of “us” versus “them.” It’s a narrative we’ve all been used to since the cool kids’ table in grade school. From tribal rivalries to modern office politics, the in-group and out-group dynamics have played a starring role in the story of humans interacting all along.

Pretending some of you may be blissfully unaware of this concept, let’s get on the same page with what I mean. The in-group refers to those we identify with, our “tribe,” if you will, while the out-group is, well… everyone else.

It’s the classic “you can’t sit with us” mentality, only with more dire consequences than a lunchroom snub.

Now, let’s talk about how this works with security professionals. We love to see ourselves as the guardians at the gate, don’t we? The chosen few who bear the weighty responsibility of safeguarding the realm.

In this self-aggrandizing narrative, we, the security professionals, are the in-group. The enlightened ones. And the rest? Those developers, marketers, and, heaven forbid, the sales team? They’re the out-group. The uninitiated. The ones who “just don’t get it.”

But here’s the rub. This divisive mindset, this “us versus them” story, has profound implications on security decisions and practices. When we view others as outsiders, we’re less likely to collaborate, to share knowledge, to bridge the gap.

Instead, we erect walls, both literal and metaphorical, that hinder progress and breed resentment. I’ve been there, trust me. I’ve sat in those meetings, eyes rolling, as I silently dismissed the concerns of “non-security” folks. And where did it get me? Nowhere fast.

The tragedy of this dynamic is that it perpetuates a cycle of mistrust and misunderstanding. By placing ourselves on a pedestal, we not only alienate potential allies but also blind ourselves to valuable insights from outside our echo chamber.

It’s high time we recognize the folly of this approach and strive for a more inclusive, collaborative security culture. After all, in the grand scheme of things, aren’t we all on the same team?

Fear of Change and the Unknown

department of no

It’s almost comical how we, as a species, have achieved such technological marvels, like self-warming bidet toilet seats, and yet we still fight change at every turn. But to give us a bit of slack, resistance to change is as natural as my aversion to morning meetings before my first coffee.

It’s hardwired into our DNA, a relic from our cave-dwelling days when the unknown often meant “bear about to eat me.”

Enter the world of security, where change is not just constant but accelerated. With every technological leap, there’s a new set of challenges, a fresh batch of nightmares for us security folks.

iOS 17 just dropped, and it is bound to be filled with new 0days that ruin some poor SOC on-call’s day.

And how do we respond? With open arms, embracing the brave new world? Oh, if only. More often than not, we retreat, fortifying our defenses, clinging to the familiar like a child to a tattered security blanket.

It’s almost poetic, really. The very professionals tasked with securing the future are often the ones most terrified of it.

Understandably so, though. Each new tech brings new problems and new ways for attackers to misuse it.

The Role of Ego and Identity

And a topic anyone with a blog and newsletter has no idea about: ego.

Ego, that fragile, bloated balloon that so many of us carry around, desperately shielding it from the slightest prick of criticism.

And in infosec? Ego isn’t just present; it’s practically a job requirement. But here’s a little secret, whispered from one ego-driven professional to another: our identities are not our job titles. No matter how many C’s and O’s are in them.

A professional’s sense of self becomes so entangled with their role that they can’t see the forest for the trees. Every decision, every action, is filtered through the lens of “How will this reflect on me?”

We work in an industry where stakes are high and scrutiny is relentless. The siren call of ego-driven, self-serving decisions is almost irresistible.

Why collaborate when you can dominate? Why admit flaws when you can posture and pretend?

But here’s the bitter pill we all must swallow: prioritizing our inflated sense of status over genuine, effective security practices is not just misguided; it’s downright dangerous.

It’s time to deflate that ego to recognize that our true worth lies not in titles or accolades but in the tangible, positive impact we can have on our organizations and the broader world.

The Desire for Significance and Recognition

Time for the gold star on our proverbial report card. The A+ on ssllabs. The 100% MITRE ATT&CK covered.

At our core, we all want to be seen, to be acknowledged, to be deemed essential. It’s a basic human need, right up there with Wi-Fi and a decent cup of coffee.

Now, how does this manifest in the world of SecObs? By positioning ourselves as the indomitable gatekeepers, the final arbiters of what goes and what stays.

It’s a power trip, really. By controlling access, by being the ones to give the proverbial thumbs up or down, we cement our significance. “Look at me,” we seem to say, “I hold the keys to the kingdom.”

But here’s a sobering thought: being essential is not the same as being effective.

And while the allure of being the gatekeeper is intoxicating, it’s a fleeting high, often followed by the sobering hangover of realizing we’ve become more obstacle than asset.

Folks will learn to go around you.

“Oh, Matt? Yeah, you’re supposed to get his approval on this, but it’ll delay you a few weeks at least. I’d just get this change out the door, if you do it this way, he won’t notice.”

The Impact of Organizational Culture

Org culture is something that is hard to figure out before you walk in the door and often hard to navigate once you’re in there.

It’s the silent puppet master, pulling the strings behind the scenes, often in ways we can’t recognize.

The broader culture of an organization is like the soil in which SecObs either flourishes or withers. A toxic culture rife with mistrust and territorialism provides the perfect breeding ground for obstructionist behaviors.

On the flip side, a culture that values collaboration, transparency, and mutual respect can act as a salve, soothing the tendencies of even the most ardent SecObs practitioner.

The Director of Security who wants to be check box, ticket, and change control oriented will often either shape up or ship out if the org culture is mature and strong enough to discourage it.

And who is the gardener tending to this organizational soil? That would be the leadership whose voices are most often heard. It is definitely a top-down situation.

Their actions, their words, and their very demeanor set the tone. When leaders prioritize collaboration over obstruction, when they champion open dialogue over siloed decision-making, they send a clear message.

SecObs, in its most toxic form, has no place here.

Strategies for Overcoming Psychological Barriers

Let’s get introspective for a moment, shall we? Because, let’s face it, overcoming SecObs isn’t just about policies and procedures; it’s about confronting our own psychological barriers.

And trust me, that’s a journey riddled with more twists and turns than walking home after last call.

At the heart of this transformation is self-awareness.

It’s about recognizing our biases, our fears, our insecurities. It’s about admitting, however begrudgingly, that we might be part of the problem. But with recognition comes the power to change. Introspection, as painful as it might be, is the first step towards enlightenment.

So, how does one foster a more collaborative and open-minded security mindset?

It’s a dance, really. A delicate balance of seeking feedback, challenging our assumptions, and, dare I say it, occasionally admitting we’re wrong.

Techniques like peer reviews, cross-departmental workshops, and even simple reflective journaling can work wonders. The goal? To shift from a mindset of “me against the world” to one of “us, together, forging a brighter future.”

Join the Newsletter

Every Friday, I'll send you the latest edition of Vulnerable U - My free newsletter with a mini blog topic, collection of the news I'm reading this week, and more!

Subscribe to get my best content. No spam, ever. Unsubscribe any time.

Overcoming Security Obstructionism
Older post

Engineer vs. Shepherd

Why We're Our Own Worst Enemy in InfoSec

Newer post

The Art of Strategic Quitting

Why We're Our Own Worst Enemy in InfoSec

Overcoming Security Obstructionism