This text is the result of a conversation I had some time ago with a coworker. The idea came up during a quick coffee break, but over the years I have come to believe that it pointed to a structural problem that deserves to be addressed with a little more calm.
For years, I thought that the problem with cybersecurity was in the details. If I had to be a little more specific today, I would say that the problem is not so much in the details as in what we have done with them: the exception is no longer the exception.
All organizations are full of small special cases. The user who needs local administrator permissions; the umpteenth group in Active Directory that contains only a few people; the application that uses a non-standard port; the legacy database that requires a different backup scheme; the department that needs to run software not included in the whitelist; the manager who needs to be allowed to use USB devices; the server that cannot be patched so as not to break compatibility; the one-off exception in the firewall; the processing of personal data that requires an exception to minimization or retention policies because “the process needs it.”
The nature and number of exceptions is countless.
One after another. Hundreds of exceptions, all of them legitimate requests. They respond to real business needs and are often made in contexts of pressure, urgency, or operational dependency. The problem is not the intention, but the cumulative effect.
Each exception introduces a tension between the desired benefit and the risk generated. In many cases, decision-makers are fully aware of the benefit, but not necessarily of the associated risk, or at least not to its full extent. Above all, they are usually very clear about what they are not willing to give up, even if that “not giving up” has direct implications for the exposure surface.
This is where the discrepancy between what the business demands and what cybersecurity (and the privacy function) can consistently protect and govern becomes apparent. We repeat that cybersecurity must enable the business, but we rarely verbalize that it must also make explicit the risk that is introduced when an exception is forced.
The reality is that business, security, and privacy are not separate domains, but parts of the same decision-making system. When the tension between need and risk is not consciously managed, exceptions are granted, controls are adapted, and risk is implicitly accepted without a clear understanding of its aggregate impact.
Cybersecurity must enable business. But the more specific, exceptional, and complex a need is—whether technical, operational, or related to the processing of personal data—the more difficult it is to protect and govern it consistently. When that relationship is not understood, risk ceases to be perceived as something that is decided and managed, and instead materializes as a consequence.
Speak Your Mind