Security is applied and practised, not titled, in the real world: Organisational, individual, departmental, government and representative failures.
Tony Ridley, MSc CSyP FSyI SRMCP
Group Manager Risk (incl. Resilience, Insurance & Internal Audit) | PhD Candidate, Researcher and Scholar
Security remains a perpetual, unfinished and adaptive practice, poorly represented by divisive, siloed and role-based behaviour(s).
That is, in order to provide security, it requires holistic consideration of the threats, assets, environments, technology, social factors, organisation/entity and freedom of action or constraints.
Therefore, security can not be solved by one person, discipline or perspective because all hazards require all hands, disciplines, perspectives and considerations.
This division, myopic view and division present gaps and exploitable vulnerabilities and play security actors, protectors, representatives and disciplines off against each other... not the adversary, threat, danger or hazard. As a result, a better approach (read comprehensive, inclusive and excluding nothing) is the provision of security, not a job title, role, responsibility, budget, audit or other factorial aspects involved in the assessment, design, implementation, delivery and maintenance, of a secure or safe environment.
A simple enough premise, it seems overly simplistic but remains the primary Achilles heel and exploitable weakness for human adversaries, criminals, bad actors and organised groups with deliberate, malevolent intent.
In other words, thieves, hackers, bad actors, terrorists and criminals are focused on the prize(s), outcomes, obstacles and means required for success.
Threat actors DO NOT CARE about your org chart, budget allocation/cost code, job title, department, agency, pedigree or where you went to school.
The bad actors benefit from division, poor communication, duplication, inefficiency, rivalry, confusion and other organisational separations.
Organisational structures and resourcing should follow the analysis of the opportunity and threats, not drive the solution(s).
Particularly when it comes to security, as a dominant threat actor, consideration is that of intelligent, adaptive, resourceful and purpose-driven human adversaries that will intentionally circumvent 'controls', security measures and practices.
Recommended by LinkedIn
You'd be hard-pressed to find a business or asset class that doesn't encompass varying socio-technical factors. Therefore, socio-technical solutions and security practices are required.
Convergence remains challenging, especially when governments, regulators, administrators, boards and executives tend to have a 'get away with' approach to a 'grudge cost' such as security. Make money, make a profit... maybe security is considered later, only after we make a bigger annual profit.
In other words, safety/security first rarely takes pride of place at the top of any business budget, investment or plan.
In sum, if you start your security thinking, planning and approach with 'security of...' as opposed to <label> security, you will find a remarkable change of framing and approach.
That is, you will perceive the problem from all aspects and representative agents, as opposed to attributing artificial and bounded rationalities to complex, wicked, network and nascent threats, risks and vulnerabilities. Try it. Try it with a generalist, and watch how they change their approach to 'security'. Perhaps you and your organisation should too.
Security, Risk, Resilience, Safety, & Management Sciences