This post originated from comments John Carmack made on Lex Fridman's podcast (41:04) about motivators for software developers "Everything we're doing really should flow from user value". He goes on to talk about how exercises like code golf are great challenges and completing or "winning" them is a great little dopamine hit but it shouldn't be the underlying motivator in product development. I immediately thought of how much time and effort I've spent on deep technical religious debates over the life of my career and the parallels in my current role in practicing cybersecurity. In IT as a whole we tend to expend far too much time on these debates and end up losing focus on adding value. In cybersecurity this is an especially difficult, but important goal to achieve. Security decisions are always the classic trade off of convenience versus security, you can rarely have both. Yet adding value to the business is the goal of any IT branch, including security operations and governance, risk and compliance teams. Approaching security with the question "How are we adding value?" is a good mind set to instill a culture of security in an organization.

Cybersecurity teams are infamous for being the "team of no". I have had a lot of encounters working with colleagues, vendors and auditors that do not understand frameworks and risk management principals which results in overly restrictive IT policies, procedures and saying "no" a lot. This culture is deeply entrenched in over bearing IT systems administrators that are hanging onto the past. I recall a lecture in university where the CS department sysadmin filled in for a prof and spent the class explaining to students how "My job would be so much easier if it wasn't for all you users.". In some spaces that attitude persist to this day. Although this culture has improved some of it has trickled into teams that have members who come from that era and mentality. This leads to a security approach of locking everything down and saying "no" more than asking "how?". Sure, locking everything down would make our lives much simpler and cost a lot less but it ignores the needs of the business, frustrates your employees and leads to drops in productivity. Even more importantly it leads to distrust of the security team and shadow IT. In healthcare when drop in productivity translates to negative outcomes for patient care this simply isn't acceptable. Cybersecurity practitioners need to come to the table with a curious mindset, understand the needs of the business and work through complex situations to come to acceptable solutions. Approaching cybersecurity challenges with the mind set of "How do we add value?" is something the industry could do more.

This begs the question of how we demonstrate value to the business. That can happen through well crafted awareness campaigns with messaging that reminds employees the security team is there to help, not to hinder and they need your help in protecting the organisation. Phishing campaigns for example should strive to be realistic, measure metrics like report rate as opposed to click rate and conclude with messages thanking staff for participating in protecting the organisation. SOC metrics need to articulate risk, enable your SOC analysts to focus on the right thing and empower leadership to make good decisions. However they can also be used to discuss and demonstrate how the security team is adding value. Reducing risk is adding value and your SOC dashboards are a wealth of information in risk reduction and avoidance. Every incident that is closed without escalating beyond a minor investigation is value. Driving mean time to respond and mean time to resolve down demonstrates value in responding faster than attackers and reducing possibility of lateral movement. Framing risk assessments as proactive work that will save a lot of questions from your privacy and risk colleagues and auditors in the future and making them fast and efficent leads to a positive customer experience that translates to value.

Approaching cybersecurity with the mindset of "Everything we're doing really should flow from user value" is a good way to rethink how things are done. Shift the focus from "no" to "how?", be curious, understand that people inherently want to do the right thing and partner with them in doing that. I do believe that there has been a positive shift in our industry in both how cybersecurity staff approach their jobs and how the business perceives us. However I still have far too many conversations about keeping obsolete, unpatchable, insecure technologies around with absolutely zero interest in discussing options. Practitioners approaching that conversation with a mind set of adding value will go a long way to our customers being accepting of our mission and seeing it as a shared accountability. If you work in cybersecurity try starting your day asking yourself "How will I add value today?".