Security Is A Political Problem
- Miloslav Homer
Miloslav Homer
About
Archive
Security Is A Political Problem
• Technical and Political Problems
• Risk Management Is Inherently Political
• ROSI: Motivate Budget Holders To Keep Your Technical Solution
• Is Security Useless? No.
Security Is A Political Problem
Miloslav Homer
#Opinion
#Security
2026-06-22
Every now and then I meet a (usually) young and passionate security practitioner, uttering sentences like: “But this is just the bare minimum, we have to do (insert here: firewalls, phishing simulations, SAST, bcrypt, encryption at rest... pick one). We cannot work without it!“<br>I’m afraid I have bad news. We absolutely can work without it, even though we disagree. I know you don’t want to hear this, hell I remember I didn’t like hearing this, but here goes. Security is not a technical problem, security is a political problem that sometimes uses technical solutions.<br>I’m writing this article as a reference point. It is critical for me to get this argument right, because it underpins nearly every other effort in security.
Is this the right amount of security in this context? (by Serena Koi)
Technical and Political Problems
I would be happy to include a good differentiating definition here, but I didn’t find one. The best I’ve found is this article from 1935!! Note on the Distinction between Political and Technical Questions (Pitman B. Potter). It writes cooperation with an umlaut! Coöperation! Here’s the relevant excerpt:<br>... “political” refers to policy or general principle or theory of action, “technical” to application in detail of previously adopted policy or law. To some extent the policy is purpose, technique the means to the end.<br>For me, a purely technical problem is completely disconnected from human behaviour and emotions. There’s an obstacle and it needs to be cleared out, but fortunately that obstacle doesn’t change behaviour based on how well it slept last night.<br>On the other end of the spectrum, you have purely political problems, where all that has to be done is to make a decision. The issue is, it’s usually not your decision to make and you have a preferred outcome1.
A climber, solving the technical problem of ascending after a political decision of taking this route to the summit. (by Mau Torres V)
As an example, hashing and salting passwords in the database is a technical solution. But the political decision underpinning the solution is to store the passwords locally. Other decisions could lead to an identity provider like Google or Microsoft.<br>Everybody knows™ that political decisions are made in accordance with values2. You have your values that might or might not be aligned with the values of the decision maker. And you need to employ political tactics to influence them.<br>Of course, most problems exist on this spectrum somewhere. Going back to IT, even a minor feature change might be stopped by a senior engineer reviewing the code as it fails abstract requirements like “quality” or “security”. On the other hand, sometimes you need to take reality into account when making business decisions.
Risk Management Is Inherently Political
You cannot possibly make any security without risk management. At some point, somebody3 has to say “this is a problem” and on the other end they’ll say “eh, this is fine.” It’s not really relevant if this conclusion was made from a huge excel sheet or a flip of a coin.<br>What is relevant, that any argument along the lines “we absolutely have to do X” can be discarded immediately with “no, we can risk it and hope for the best.”
If your risk appetite is high enough, you can fund your company with blackjack! Worked out well for Frederick Smith and his FedEx. (by Anna Shvets)
If you’re looking for some universal floor that all companies should be doing, we have it: it’s compliance backed by government regulations. And even those are up to discussion all the time. Regulatory language needs interpretation that allows different details to suit the various approaches.<br>Ideally, you map all of the risks, you try to provide some estimates of impacts and probabilities, you identify business priorities etc... Then you come to someone who can give you budget to implement fixes and then they’ll tell you “no, we’re not buying all of that, that’s way too expensive.”<br>That’s where security begins. And that is also a prototype of a political problem - how do we assign limited resources to address known issues? Is the risk bigger than not shipping a new feature that would secure a new contract? Discuss4.<br>If you are responsible for security, I recommend taking the most conservative approach. Ideally, someone high up the chain will take responsibility for that risk - make them sign it and store this signature as evidence. It might come handy later.<br>Technical solutions are still indispensable for security. Once a decision is made (policy is written) we need to enforce it. That’s where the tech folks...