Why Security at Tech Companies is Hard

Cue Tiny Violin 🎻

Before we start, I want to acknowledge the obvious. Security in general is hard.

In this post, we’re going to go over why and how this is true in its unique way within tech companies.

In the world where it pays to be first, and companies are trying to reach “escape velocity”, this doesn’t always lead to stakeholders thinking of Security as priority number one.

If you look at most tech companies, there’s a chance their core product offering is not a pure Cybersecurity play. If this is true, there’s a chance there is a constant prioritization exercise being conducted and trade-offs are being made for Security initiatives.

Let’s take a look at this topic.

---

Lets Step Back

So why is this hard?

Let’s step back and talk about Second-Order Thinking

Second-­order thinking asks us to pause and consider the long-­term implications of our decisions based not just on what seems good now, but on what will lead to the best outcomes over time.

This blog post on Farnam Street gives a great overview on this.

This can mean going through the scenarios and “playing it out”.

Let’s go over a scenario.

You are choosing between two tech companies to work at, one is a startup and one is a more mature company. After thinking it through, you decide to go with the startup for the following reasons: the more exciting opportunity, more upside, and impact.

Fast forward 2 years, and the company runs out of $$ and has to shut down.

You are now in an objectively worse spot than if you were to have
1) stayed at your previous job or 2) taken the job at the bigger company. This then can have second-order implications.

Obviously, there’s no bulletproof way to know that the startup was going to fail, but for the purposes of this example we can see how this decision can set us back years after it was made.

At the same time, a startup can turn out to be a massive success and provide a life changing opportunity. The second-order effects of this would be life-altering and positive.

These are some of the exciting aspects of doing Security at a tech company.

This scenario helps set the stage for the decisions that need to be made at a company and Security Org level. Whether you’re running a POC for a tool, the classic build vs buy decision, or forming a multi-year roadmap, there are non-obvious effects that need to be taken into account.

If you have a hard time weighing decisions and thinking out a few years, doing Security in a tech company will be hard.

The tradeoffs and varying levels of compromise that have to be made are part of the job. (Cue Tiny Violin) 🎻

Long story short, you’re trying to optimize getting the most bang for your buck in decisions. Applying a margin of safety if possible.

An example of a big decision of this magnitude could be deciding what percentage of users in the Enterprise will get Local Admin on their laptops. If someone is coming from a DoD background this might seem crazy, but for a tech company this number tends to be high (or 100%).

There’s justifications for different use cases, so tradeoffs need to be made with a risk-based approach.

If this was a seesaw exercise for Security, we would have technology advancements on one side, and greater buy in on the other end. Each coming with its own opportunity cost.