What is Security Differently?
Security Differently is a new evidence-based cybersecurity practice adapted from safety. By shifting the focus from preventing incidents to improving performance, security changes from a cost to an investment that can be measured directly.
There are two core principles of Security Differently:
- Instead of preventing bad outcomes and behaviors, promote good outcomes and behaviors (learning over compliance)
- Security is a shared responsibility (the security team doesn’t create security)
How does this work in practice? The table below highlights key differences between Traditional Cybersecurity and Security Differently:
Traditional Security | Security Differently |
---|---|
Large security team | Small or no security team |
Success defined by absence of security incidents or breaches | Success defined by presence of security capacities (smaller attack surface, faster patching, MFA) |
Directs how work is done | Supports work as done |
Constrains performance | Improves performance |
Security team is responsible for security | Security is a shared responsibility across the organization |
Security is focused on compliance with external rules and regulations | Demonstrating security to outside stakeholders is a separate activity |
CISO is blamed for a breach | Breaches are an opportunity for learning |
Poor security engagement | High security engagement |
Security creates controls, policies, and procedures to prevent mistakes | Security provides tools and environments to support security work |
CISO has overall responsibility | CEO has overall responsibility |
Security team creates security | Operations and Development create security |
Training focused on awareness and compliance | Training focused on behaviors that promote security and learning |
Security is a cost | Security is an investment |
Further Reading
Blog posts on Security Differently, newest first: