Five Timeless Principles of Security

Most days, when talking about security we tend to focus on AI, the latest tech, regulations, frameworks, or threat intelligence. While some of the most powerful approaches to security (leadership) aren’t new at all - they’ve been around for centuries.

I keep returning to these principles every time I take part in responding to a security incident or trying to find ways to cross functional boundaries in organizations that create inefficiencies.

Here are five principles I believe are valuable for security leadership that go beyond technical controls, policies and procedures.

1. Transform Obstacles Into Opportunities

Traditionally we focus on preventing possible failures. We build increasingly complex controls aimed to block every conceivable threat. Yet breaches continue to happen, and when they do, organizations that invested solely in prevention find themselves unprepared.

The map is not the terrain here. Our prevention-focused security frameworks are maps that help us navigate complexity, but they don’t capture the full reality of what happens when security fails. Instead of measuring backwards (breaches we failed to prevent), why not measure forwards (how quickly do we detect, contain, and learn from security events)? This shift from a prevention mindset to one embracing resilience transforms security incidents from failures into learning opportunities.

Some practical things you can do:

• Run regular tabletop exercises treating breaches as inevitable rather than theoretical.
• Create feedback loops to systematically learn from security incidents.
• Build response capabilities as robust as your preventative measures.
• Measure your team’s ability to detect, respond, and recover—not just prevent.
• Don’t treat incidents as mere failures; instead, try to learn from them. Yes, limit the impact and issue a timely response, but do take time to analyze and improve upon it.

2. Create Conditions for Success

Security teams often earn the “blocker” reputation—implementing controls that other departments view as obstacles. This creates friction, incentivizes workarounds, and ultimately weakens security.

Defining security primarily as “preventing bad things” captures an incomplete truth. When this definition becomes the measure of success or failure, it becomes too constraining. Instead of forcing compliance through control, we ca create environments where secure behavior happens naturally. This means redesigning security processes that align with how people actually work, not how we wish they would work.

Some practical considerations:

• Design security controls that make secure behavior the path of least resistance.
• Create security patterns that development teams can implement without security review.
• Develop clear guardrails that enable autonomous decision-making.
• Even if it feels counterintuitive, measure security effectiveness by business enablement, not just risk reduction.

3. Know Your Environment Deeply

Majority of organizations implement security measures based on general best practices without truly understanding their specific context. This leads to misaligned security investments and dangerous blind spots.

There’s a delicate balance here. The organization needs structure—everyone making independent security decisions would create chaos. Yet within that structure, there must be room for context-specific approaches that acknowledge unique threats and business needs.

Effective security strategy requires a deeper understanding of both, your organization’s assets, capabilities, and weaknesses, and your adversaries’ motives, techniques, and targets.

Some practical steps you can take:

• Develop a detailed asset inventory and business impact analysis.
• Create a threat model specific to your organization’s industry and profile.
• Align security investments with your actual risk landscape, not generic frameworks.
• Continuously gather intelligence about threat targeting your sector, and analyze impact of changes that are happening inside of your organization.

4. Maintain Sustainable Momentum

Most teams operate in reactive mode—rushing from one urgent project to another, responding to the latest vulnerability, or scrambling to create a proof of meeting compliance requirements. This frantic pace leads to burnout, technical debt, and ultimately less effective security.

Growth simply isn’t linear. True in security, and in life. Teams develop through phases, sometimes focusing on compliance, other times on automation, then on threat hunting. The key is maintaining sustainable pase through these phases rather than exhausting the team with constant firefighting.

Some practical steps:

• Structure security work into defined projects/cycles (e.g. six-week implementation periods).
• Include “cool-down” periods between sprints/projects for reflection and technical debt reduction.
• Set explicit time boundaries for security projects rather than open-ended initiatives.
• Measure progress by consistent delivery, not activity.

5. Question Your Assumptions

Industry is filled with experts who pride themselves on specialized knowledge. When this expertise turns into rigid thinking, instead of knowledge it becomes a liability. Yesterday’s solutions are not guaranteed to address tomorrow’s threats.

True mastery in security—as in other fields—often comes when we integrate the discipline of structure with the freedom to question our assumptions. Like a security professional who thoroughly learns frameworks before adapting them, or an analyst who invests time to understand standard approaches and then moves beyond them when the situation demands it.

Remind yourself and encourage your team to:

• Regularly step back from detailed work to question fundamental assumptions.
• Invite diverse perspectives into security discussions, especially from non-security roles.
• Allocate time for exploration and experimentation with new approaches.
• Create psychological safety for team members to challenge established security practices.

If you only take one thing away, then let it be keeping your mind open and questioning your assumptions. Maybe the most effective security emerges when we hack away at unessential metrics, expectations, and limitations—leaving only the essential: building resilient systems and teams that can adapt to whatever comes next.