Sometimes we think that the cybersecurity team should be like controllers or powerful people that can say to the rest of the company what they can do or not. That’s not how cybersecurity works and that’s not the best thing for the business. The cybersecurity team should not act as the police. They are more like the bodyguards that protect the Pope: they cannot tell the Pope where he can go or not; they can recommend the Pope not to do something, but they can’t force the Pope to do what they want; if the Pope wants to talk with that many people at this moment, the bodyguards can tell him what they think (if they react really fast), but they can’t forbid the Pope to get closer to the people, if he wants.
Even in that case, the bodyguards have to do whatever they can to protect him. They cannot refuse to protect him because he is not obeying them. The bodyguards cannot request him to sign a paper that says that he has accepted the risk.
About the specific security measures, the bodyguards cannot write in a paper what they are and then request the Pope to just follow them. They can have a meeting with the Pope before an event, and they can tell him the risks, and what he should or shouldn’t do. But they have to explain the security measures in plain words which have to be very few and clear for him to follow them.
If the security measures make sense and are proportional to the risk, he probably will follow them. If they are too strict or difficult to follow, he will probably avoid them.
The bodyguards should avoid interfering with his actions, but they are expected to act proportionally to the risk and know what to do in any situation. If the risk is real and imminent, they are expected to jump over the Pope, without asking permission, because they know what their mission is and why they exist. Obviously, jumping over him when the risk is not justified, for example because a kid has exploded a globus, can bring some problems to this bodyguard team.
The bodyguards of the Pope have to be very intelligent when designing the security measures. If they are able to make them transparent, trivial to follow, and effective, the security will be great.
The bodyguards of the Pope don’t rule over him. They serve the Pope to accomplish their objectives.
As cybersecurity professionals, we have to be like the bodyguards of the Pope. We have to serve and adapt the security measures. We have to understand that, although the security is important, more important is that the organization accomplishes its mission. We have to listen to what our company wants and needs, and we have to be responsible for its security, even when our organization is not sure about how to comply with the recommendations and security controls that we define.