Laws of Security



Security is not here to:

Perform every security action needed to secure the organization.

Block or dictate what can and can't be done.

Stop forward momentum.

Security is here to:

Help secure the organization by force multiplying.


Simplify the use and understanding of security, making security have a clear purpose and function.


Security writes guidelines and policies that serve as a Northstar for the company and its teams.

Security creates automation and self served processes so people can do security themselves, it's their obligation to secure their areas of responsibility.

Security creates guardrails to make sure the standard and minimum baselines are maintained within the confines of the guidelines and policies.

Security educates other organizations and teams, and works with them so they have the needed information and tools to secure their domain.


Security enforces the guidelines and policies whenever an action generates security risk.

Security escalates problems and risk as soon as there is minimal friction so solutions can be found by engaging the right people in a leadership role.

Original source: Security Operating Model and Force Multiplying Security