Why your security team feels stuck

Why your security team feels stuck

Cybersecurity friction usually gets framed as a user problem: password policies that frustrate employees, MFA that slows down logins, or blocked apps that send workers into the arms of shadow IT. But there’s a different kind of friction happening behind the scenes, and it’s hitting security teams themselves.

It shows up during incident response, threat hunting, and day-to-day tasks. It’s the drag of too many tools, rigid approval chains, and a lack of clarity about who owns what. The irony is hard to ignore. In the name of securing the organization, security teams can end up slowed down by their own systems.

Friction at the core

The problem starts with complexity. Security stacks have grown dense, and tools like EDR, SIEM, SOAR, CASB, and DSPM don’t always integrate well. Analysts often need to jump between multiple dashboards just to confirm whether an alert matters. Tuning systems properly takes time and resources, which many teams don’t have. So alerts pile up, and analysts waste energy chasing ghosts.

Then there’s process friction. In many organizations, security actions, especially the ones that affect production systems, require multiple levels of approval. On paper, that’s to reduce risk. But these delays can mean missing the window to contain an incident. When attackers move in minutes, security teams shouldn’t be stuck waiting for a sign-off.

This kind of slowdown happens even during routine access requests, as Daniel Rheault, Director of Product Management at FireMon, explains: “Netsec teams often get tickets like, ‘Open TCP port 3389 for app-portal.corp.local’ or ‘Open TCP port 1433 for reporting-db.corp.local.’ Developers think in hostnames and roles, not in networks, so they rarely specify whether the port must be accessible only through a corporate VPN tunnel, a hardened jump host with MFA (or other conditional access controls), or be restricted to a specific CIDR – or who the business owner is, given the significant risk.”

Without that context, teams can’t act quickly. Rheault continues: “That ambiguity forces two to three extra clarification cycles over email or Slack. These back-and-forths can easily add days because no rule can be applied until the VPN path, multi-factor authentication, IP-restricted ACLs, logging requirements, and sign-off authority are all defined.”

Even once access is granted, the friction often reappears later:

“Every day of iterative clarification delays application functionality and forces netsec to spend time validating that all required controls are in place before they can move forward. This problem only multiplies when access requires periodic compliance-mandated review after personnel changes. Re-mapping the request to a new business owner for risk acceptance becomes a separate exercise, restarting the entire clarification process.”

These kinds of routine ambiguities force security teams into holding patterns, slowing not just emergency response but basic business enablement. It’s a systemic issue that compounds over time.

Ownership also gets fuzzy. Who’s responsible for patching? What counts as a vulnerability worth escalating? Should the SOC escalate directly to IT or go through the CISO’s office? When expectations are vague, handoffs get messy. And when handoffs get messy, response times slow down. Some of this is organizational sprawl, some of it is the natural outcome of security being bolted onto structures that weren’t designed with it in mind.

Culture adds weight

There’s also a human element. In some teams, there’s an unspoken culture of caution: don’t take action unless you’re sure it’s approved. That mindset protects against overreach, but it also creates a dependency on others to act. Junior analysts end up routing everything upward, and experienced staff spend more time reviewing tickets than solving problems. The whole team starts moving slower.

Burnout adds another layer. When friction is constant, morale suffers. Analysts may stop pushing for fixes because they assume the system will resist change. Friction becomes normalized, it’s part of how things work. That’s dangerous because it makes real improvement harder to imagine.

Aimee Cardwell, CISO in Residence at Transcend, told Help Net Security that part of the challenge lies in how security culture is evolving.

“Security culture is having a bit of a renaissance. Each member of the security team may be in a different place as we undertake this transformation, which can cause internal friction. In the past, security was often tasked with setting and enforcing rules in order to secure the perimeter and ensure folks weren’t doing risky things on their machines. While that’s still part of the job, security and privacy teams today also need to support business growth while protecting customer data and company assets. If business growth is the top priority, then security professionals need new tools and processes to secure those assets.”

She adds that reducing friction doesn’t mean weakening controls.

“One way CISOs can reduce friction is by working with the rest of the enterprise (especially privacy and digital teams) to create shared data visibility, and then enforcing policy at the system level — through integrations, not manual process. When security and privacy operate from a common source of truth, you reduce friction and risk at the same time.”

Speed without recklessness

Fixing this kind of friction doesn’t mean removing all checks. Some approvals are necessary, but CISOs should ask whether every layer of process adds value, or just adds delay. In many cases, speed and security aren’t in conflict. What’s missing is trust.

That trust can be built with guidelines. Instead of requiring a sign-off for every containment action, create a framework that defines thresholds. If a threat meets certain criteria, the SOC can move without waiting. That speeds things up while still keeping actions accountable.

It also helps to re-examine tooling. If your detection stack creates more noise than signal, consider consolidation or better integration. More tools aren’t always better. The goal should be context-rich alerts and triage, not an endless stream of telemetry.

Clarity on roles is just as important. Security, IT, and engineering teams need shared playbooks and regular touchpoints. If a SOC analyst knows exactly who to call, and that person is empowered to act, response times shrink. This isn’t just about hierarchy. It’s about removing ambiguity.

Culture change takes longer, but it starts with setting the tone. If the message from leadership is “we move fast when we need to,” teams will adapt. If it’s “don’t touch anything unless told,” friction stays. CISOs can’t be in every war room, but they can shape the norms those rooms follow.

The hidden risk

Internal friction rarely makes headlines. No attacker ever claims credit for slowing down a patch cycle or clogging a ticket queue. But these delays have real consequences. They widen the gap between detection and response. They give attackers time to pivot, and they erode the confidence of the very teams meant to defend the business.

For CISOs, that should be a wake-up call. The pressure to harden defenses shouldn’t come at the cost of flexibility. In some cases, reducing internal drag may do more to improve security than adding another layer of defense.

Cybersecurity is already a tough job. The last thing a CISO needs is a security program that gets in its own way.


Source link