From Pain to Gain: Turning Rigidity and Toil into Security Wins
The delicate balance between security, operational efficiency, and user experience has long eluded many organizations. Cybersecurity solutions, designed to safeguard enterprises against evolving threats, often come with hidden costs. These costs, manifesting as rigidity, friction, and toil, slowly erode productivity, delay time-to-market, and stifle innovation. Overcoming these barriers requires more than just meeting compliance checkboxes—it demands a deeper, more cohesive approach to risk mitigation that aligns security with broader business and operational goals.
Building on insights from Phil Venables’ framework for reshaping security incentives, this narrative delves into the strategies organizations can adopt to reduce rigidity, friction, and toil in their cybersecurity practices. By reframing security as a driver of value rather than a necessary burden, enterprises can create systems that are not only resilient but also empower growth and efficiency.
Understanding the Security Paradox
Security teams operate in a constant state of paradox: the tools and processes intended to protect the enterprise often become obstacles to progress. For example, a development team may struggle with prolonged approval workflows, clunky integration tools, and opaque guidelines. While these controls are meant to secure the organization, they inadvertently amplify rigidity, increase friction, and pile on operational toil. The results are predictable: delays, frustration, and a growing perception of security as a bottleneck rather than a partner.
Key Definitions
- Rigidity: The inability of security systems to adapt to changing needs or environments, often due to inflexible architecture or vendor lock-in.
- Friction: Barriers—be they procedural, technical, or cultural—that hinder the seamless implementation or use of security mechanisms.
- Toil: Repetitive, manual work that consumes resources without yielding long-term value, often tied to inefficiencies in process or technology.
Quantifying the Elusive: Measuring Rigidity, Friction, and Toil
Transforming these abstract challenges into actionable problems begins with measurement. Metrics allow organizations to uncover inefficiencies and target areas for improvement.
Implementation Time as a Diagnostic Lens
The time required to deploy or configure security controls is often a red flag for inefficiencies. Delays in integrating security tools into CI/CD pipelines, for example, highlight unnecessary complexity or poor alignment with modern development workflows. Tracking these delays across environments—on-premises, cloud, or hybrid—helps pinpoint systemic bottlenecks.
Customer and Developer Experience as Indicators
Security tools should facilitate progress, not obstruct it. Measuring experience through Net Promoter Scores (NPS) or user effort scores reveals usability issues. Consider:
- How intuitive are the interfaces for internal stakeholders?
- How many steps does it take to securely onboard a user?
- What friction points exist in developer workflows?
Unveiling Rigidity Through Dependencies
Rigidity often hides in deeply ingrained systems. Evaluating the effort required to upgrade or replace a solution can expose architectural inflexibility, vendor lock-in, or poor modularity. Dependency mapping becomes a critical tool for identifying these hidden barriers.
Tracing the Roots: Sources of Friction and Toil
Friction’s Many Faces
- Process Friction: Overly manual approval workflows and fragmented processes delay progress.
- Technical Friction: Redundant functionalities and inconsistent APIs create inefficiencies.
- Cultural Friction: Misaligned priorities and siloed teams exacerbate organizational inertia.
The Hidden Costs of Toil
Toil represents the unseen labor of repetitive, manual tasks. For instance, manually triaging security alerts not only wastes time but also undermines morale. These tasks, though necessary, offer no long-term value and often result from an overreliance on outdated tools or processes.
The Organizational Origins of Rigidity
- Sunk Cost Fallacy: Continued investment in legacy systems discourages innovation.
- Vendor Lock-In: Dependence on proprietary solutions limits adaptability and increases costs.
Strategic Interventions for Reducing Rigidity, Friction, and Toil
Addressing these challenges requires organizations to rethink how they approach cybersecurity. Venables’ framework offers practical strategies for embedding resilience into broader operational practices.
1. Don’t Just Focus on Security
Security shouldn’t be positioned solely as a compliance requirement. Instead, it should align with initiatives that deliver operational benefits—with security improvements as a natural side-effect.
- Software Reproducibility: Standardizing builds and pipelines enhances agility and reliability while enabling faster patching and vulnerability management.
- Infrastructure as Code (IaC): IaC accelerates recovery from outages and ransomware events, blending security and operational resilience.
2. Focus on Tail Risks
Addressing low-probability, high-impact risks requires both mitigation and containment.
- Risk Transparency: Escalate existential risks to senior leadership to ensure action.
- Stress Testing: Simulate real-world scenarios to expose vulnerabilities and test response mechanisms.
- Reducing Blast Radius: Design systems to contain failures, reducing their impact.
3. Deliver Real and Tangible Savings
Security initiatives can—and should—drive cost reductions.
- Control Consolidation: Replace redundant tools with modern, integrated solutions to streamline operations.
- Secure Defaults: Architect systems with built-in security to reduce implementation costs.
- Automation: Reduce toil by automating repetitive tasks like log analysis and incident triage.
4. Improve Customer and Developer Experience
Empowering users directly impacts adoption and usability.
- Customer Experience: Simplify authentication and fraud prevention workflows while offering intuitive dashboards.
- Developer Experience: Streamline security processes to reduce friction in development pipelines.
5. Address Status-Quo Disincentives
Organizations often unknowingly incentivize harmful behaviors. To counteract this:
- Financial Incentives: Share the costs of maintaining legacy systems across departments to encourage modernization.
- Promotion and Rewards: Recognize proactive risk reduction behaviors.
- Encouraging Escalation: Establish formal escalation mechanisms to address critical risks promptly.
Why It All Matters
When organizations reduce rigidity, friction, and toil, they unlock transformative potential:
- Enhanced Productivity: Engineers and developers spend less time navigating barriers, accelerating time-to-market.
- Improved Morale: Automating repetitive tasks reduces burnout, fostering a more engaged workforce.
- Strengthened Security Posture: Streamlined processes and integrated tools improve compliance and resilience.
Redefining Security’s Role
Reframing security as an enabler rather than a bottleneck is the key to a more agile, resilient cybersecurity posture. By aligning security initiatives with broader operational goals, organizations can transform rigidity, friction, and toil from burdens into opportunities for improvement.
Success lies in the ability to not just meet compliance checkboxes but to deliver systems that empower innovation, enhance resilience, and drive real business value. In this reimagined approach, security becomes seamless—a natural extension of operational excellence.
References and Further Reading
1. Phil Venables’ Blog on Security Incentives
o Venables, Phil. “What Will Truly Incentivize Organizations to Embrace Security?”
https://www.philvenables.com
2. NIST Cybersecurity Framework
o National Institute of Standards and Technology (NIST). “Framework for Improving Critical Infrastructure Cybersecurity.”
https://www.nist.gov/cyberframework
3. The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win
o Gene Kim, Kevin Behr, and George Spafford. (2013). Amazon Link
4. Google’s BeyondProd: A New Approach to Cloud-Native Security
o Google. “BeyondProd: A New Approach to Cloud-Native Security.”
https://cloud.google.com/blog/products/identity-security/beyondprod-new-model-for-cloud-native-security
5.The Site Reliability Workbook
o Betsy Beyer, Niall Richard Murphy, David K. Rensin, Kent Kawahara, and Stephen Thorne. (2018). O’Reilly Link
6. Automation in Cybersecurity: Trends and Best Practices
o Cisco. “How Automation Can Strengthen Cybersecurity Operations.”
https://www.cisco.com
7. Chaos Engineering for Security
o Rinehart, Aaron, et al. Security Chaos Engineering: Developing Resilience and Safety at Speed and Scale.
https://www.securitychaosengineering.com
8. OWASP SAMM (Software Assurance Maturity Model)
o OWASP Foundation. “Open Web Application Security Project.”
https://owaspsamm.org
9. SRE Principles in Practice: Reducing Toil
o Google. “Reducing Toil: Site Reliability Engineering.”
https://sre.google/sre-book/toil/
10. Infrastructure as Code: Benefits and Best Practices
o HashiCorp. “Infrastructure as Code with Terraform.”
https://www.hashicorp.com/terraform
11. Net Promoter Score (NPS) in Technology
o Bain & Company. “The Net Promoter System.”
https://www.netpromotersystem.com
12. Stress Testing for Operational Resilience
o Financial Stability Board (FSB). “Principles for Operational Resilience.”
https://www.fsb.org
13. Automating Log Analysis Using Machine Learning
o Splunk. “Using AI for Cybersecurity Operations.”
https://www.splunk.com
These references provide deeper insights and actionable guidance for organizations looking to address rigidity, friction, and toil while strengthening their cybersecurity and operational resilience.
Author: Aaron Rinehart
Aaron has spent his career solving complex challenging engineering problems and transforming cyber security practices across a diverse set of industries: healthcare, insurance, government, aerospace, technology, higher education, and the military. He has been expanding the possibilities of chaos engineering in its application to other safety-critical portions of the IT domain, most notably in cybersecurity