Is your definition of security holding you back?

Without a clear definition of security that is consistent through out your team, how can you expect people in your organization to comply?

Hunched forward in an effort to find comfort in old, wooden chairs gathered around a whiteboard in an oversized conference room, the ten people sitting before me each clutched a single sheet of white paper in one hand, a pen in the other.

Nervously, they looked to me for direction, wondering what on earth I was about to ask them to do.

"Take 5 minutes and write down your definition of the word security, " I asked.

(Tip: might be interesting to stop reading, take a moment, and do the same)


Nervousness instantly changed to comfort, for I asked a simple question everyone knew the answer to. Each of the participants quickly started to scribble their definition on the paper.

About a minute later, I noticed a few people scratching out words, phrases and, in some cases, the entire definition.

Three minutes in, people were still writing, pausing for a moment to think, draw an arrow or two, scratch out a concept and then scribble again.

At the end of the five minutes, I asked the members of this team to share not only their definitions, but also their reflection on the exercise. More interesting than the actual shared definitions was the fact that by asking 10 security professionals to define security, I got 15 responses!

I've repeated this challenge multiple times and generally get more definitions than the number of people.

This happens because when first presented with information, a task or a concept familiar to use, we readily presume understanding.

The moment we need to translate a loosely held notion in our minds to a precisely defined meaning, we realize that context matters and the definition might change.

Test it out on yourself and on your team.

Why it matters

To be an effective security professional requires an understanding of risk, risk tolerance, threats, business, and a multitude of other essential topics. Under the moniker of "security," lies a large potential of technologies, processes, and services we offer to those we serve in an effort to reduce or maintain risk at reasonable, acceptable levels.

Consider the responses people offer when we introduce ourselves as security professionals? Over the last two decades of testing and changing how to explain what we do, the responses have tended to focus on what the person I was talking to understood. If they considered security a firewall, that's what they thought I did. If it meant a bodyguard, I must be in personal protection.

For some folks, though, it's just too nebulous to pin down (it has too many meanings); for these people, we're more likely an impediment to their success (real or perceived) than anything else.

If we are unable to advance a clear, consistent definition of security, how can we reasonably expect the people we serve to understand, let alone comply?

We provide a valuable service to the organization, but to be successful, we have to be clear on what that service is.


What to do about it

While the exercise may not prove simple, the first step to is work with the team to define what it means to be secure. Perhaps go further and describe -- using a common example -- how your efforts to improve security and reduce risk help the business.

Then walk the definition around to the water cooler and lunch tables and socialize it with examples to the folks you know. Ask them how they would describe what you do. By sharing a documented approach with them and listening to their impressions, it is possible to build a definition others will understand and possibly embrace. In the meantime, what does it mean to be secure at your organization? Does your entire team know this?

About Michael Santarcangelo

Helping people effectively communicate value improves the organizations that work with Michael, a modern raconteur -- writer, speaker and catalyst. Learn more at or engage with Michael on twitter @catalyst.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Santarcangelo

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts