Sometimes we think that the cybersecurity team should be like controllers or powerful people that can say to the rest of the company what they can do or not. That’s not how cybersecurity works and that’s not the best thing for the business. The cybersecurity team should not act as the police. They are more like the bodyguards that protect the Pope: they cannot tell the Pope where he can go or not; they can recommend the Pope not to do something, but they can’t force the Pope to do what they want; if the Pope wants to talk with that many people at this moment, the bodyguards can tell him what they think (if they react really fast), but they can’t forbid the Pope to get closer to the people, if he wants.
