I was once working with a very large organisation helping deliver a new online service. As we were going through the first project phase we were linked up with an internal security expert, which was standard practice there.
Then as he got to understand the service he started creating new requirements for us, in the name of security. Some were obviously good ideas, but the value of some others wasn’t so obvious. And many of those not-so-obvious ones made our life difficult, because there were deadline pressures and these weren’t helping. When we asked about them the answer was clear: You need to do this. There was no debate.
Following his stance it was clear what security was for: there were boxes we needed to tick before we could release the system. It was slightly frustrating, and I put it down to life in a big organisation.
As we were going through the second phase we were linked up with a different security expert. As he got to understand the service he also started introducing new ideas. But he didn’t present them as requirements—he presented them as recommendations. Some (again) were clearly good ideas. But when we asked about the more challenging ones his response not “You have to do this”, it was to talk about the value of our customers’ data, to explain how things could go wrong, and to present us with questions that forced us to weigh up our customers’ protection against providing them with the new features.
Following his stance it was clear what security was for: it was for our customers. It was a very positive experience, because an expert had joined us with new skills and who was clearly interested in the same thing as us–serving our customers as best we could. As a bonus, he wasn’t even a line item in the project’s budget.
Sometimes digital security (and its more outward-facing sibling, compliance) may seem like a box-ticking exercise. But we (and at least one security expert I’ve met) need to remember that ultimately we’re doing it to help our customers and users.