This is the final of the series grouping together sets of prior posts into a particular theme. 

1. Security Leadership Master Class 1 : Leveling up your leadership
   

2. Security Leadership Master Class 2 : Dealing with the board and other executives
   

3. Security Leadership Master Class 3 : Building a security program
   

4. Security Leadership Master Class 4 : Enhancing/refreshing a security program
   

5. Security Leadership Master Class 5 : Getting hired and doing hiring
   

6. Security Leadership Master Class 6 : When disaster strikes
   

7. Security Leadership Master Class 7 : Contrarian takes

Let’s close with some contrarian takes and a bit of humor. If you’ve spent any time in the trenches of cybersecurity, you know that while the stakes are high, the daily reality is often a mix of high drama, low comedy, and inexplicable rituals.

The Curse of Binary Thinking

Security professionals love to deal in absolutes. We often fall into the trap of asserting that if something isn’t perfect, it must be terrible. This is the curse of binary thinking. 

You see this everywhere. We declare that compliance is counterproductive, ignoring the reality that while it isn't sufficient for security, it often provides a necessary baseline, much like building codes or restaurant health ratings. We love the snarky line that “the cloud is just someone else’s computers,” intending it as a negative, while ignoring the reality that those computers are often far better secured at scale than their on-premise equivalents.

Perhaps the most classic binary trap is the "security through obscurity" debate. We treat Kerchoff’s principle like a religion, insisting that any obscurity is bad. In reality, keeping an attacker guessing is a perfectly valid defense strategy, provided it isn't your only defense. If you find yourself thinking in black-and-white absolutes, take it as a red flag to do some critical thinking.

Ceremonial Security

Sometimes, we don’t just practice security, we perform it. We are prone to “ceremonial security”. This is subtly different from things that are security theater which mostly never served a purpose. Ceremonial security is our modern day “cargo cult”, where we perform rituals hoping they will make us safe, even when the original intent has long been lost. 

• The Ritual of the Check Box: We build priesthoods around compliance regimes, focusing on the ceremony of satisfaction rather than the actual risk the controls were meant to mitigate.

• The Rite of Risk Acceptance: This often devolves into a bureaucratic step where business leaders instinctively ask, “what do I need to do to record that I'm accepting the risk so I can move on?”

• The Quarterly Access Review: This is perhaps the weariest ritual, where managers blindly re-certify privileges using poor tools, just to satisfy the audit gods.

• The Password Change: We bludgeon users into ritualistic password changes and weird construction rules, clinging to an easy checklist item even when better authentication controls exist.

We must be careful that our security controls don't turn into perverted versions of their original intent.

Caricatures of Security People

If you look around, you will surely recognize a few of these caricatures:

• The Self-Appointed Thought Leader: You know the one. They curate a LinkedIn profile full of titles like "Board Director" (for a non-profit) and list their education as "Harvard" (based on a one-week online course).

• The Industry Analyst: They aren't happy until they invent a product category name like "CRPR" or "BOLX," and will only invite you to speak at their prestigious conference if you pay a sponsorship fee.

• The Corporate Generalist Turned CISO: A Six Sigma black belt who claims security is "simply only a business problem," wearing their lack of technical understanding as a badge of honor.

• The Small Business IT Staff: The poor soul running IT, security, and auditing, who is also responsible for the firmware updates on the office Nespresso machine.

• The Cyber Savvy Board Member: Designated the “expert” because they once met an NSA person at a cocktail party.

How to Tell if You Are a Security Professional

Finally, if you are wondering if you have been in this game too long, you might be a security professional if...

• You sit in a room and instinctively look for cameras, alarms, and escape routes.

• You fail your own security awareness tests because the right answer is actually nuanced and somewhere between the multiple choices.

• You manipulate every URL on every website you use just to see what happens.

• Your Board insists they have zero risk appetite for breaches but still uses their personal AOL email for sensitive documents.

• Family members describe you as a "hacker" or "security guard" and you’ve stopped bothering to correct them.

• You have to explain to leadership why you aren't buying AI products just because they were marketed in The Economist.

• An incident occurs related to a risk that was formally accepted and the person who accepted it asks why you let them do that.

• Finally, if you spot the failure modes of everything to the annoyance of your family and friends—congratulations, you are definitely a security professional.

Here’s a short video (thanks to NotebookLM) covering all of this.

The blog posts used to build this video and summary are here:

• Security and the 7 deadly sins

• The best security movies made and not made

• Caricatures of security people 

• Ceremonial security

• How to tell if you are a security professional

• The curse of binary thinking