Trust but verify? Balancing employee flexibility and security in cybersecurity management
доверяй, но проверяй? @channel In April this year, a cybersecurity firm called BePrime made headlines for all the wrong reasons. The company — a managed security services provider serving major brands including Starbucks, Whirlpool, and energy companies across Latin America — was breached because its admins neglected to put MFA on their own accounts! 🤦 The attacker walked straight in, stealing 12.6 GB of data including plaintext credentials, security audit reports, API keys, taking control of 1,858 network devices, and accessing live surveillance camera feeds at client offices. This wasn't a sophisticated zero-day or some AI-powered supply chain attack, just a cybersecurity company that hadn't bothered to protect itself with basic controls. It was the equivalent of a professional locksmith leaving their own front door unlocked. It brought back an uncomfortable memory of my own - we’d managed to resist a high-profile pen test until the attackers located an unsecured Excel document holding the credentials to almost every database we had. It was a DB Admin trying to 'smooth his workflow', but for the firm, it was ‘game over’. The awkward truth in both cases: the threat wasn't sophisticated. It was human. Convenience trumped security. And that's a pattern that doesn't get easier to manage — it gets harder. So what do we do?
Remove trust entirely? 🔒 Physical searches on entry and exit, locked-down toolsets, strict access controls. Effective, maybe. But miserable places to work, and talented people leave.
Extend trust generously? 🤝 And periodically discover your intellectual property sitting in a competitor's pitch deck.
Ronald Reagan 🇺🇲 borrowed the old Russian axiom: "Trust, but verify" (the text at the top of this piece in case you were wondering!). It sounds like the sensible middle ground. The problem is that we don't actually verify. We say we will, we build policies that assume we do, and then reality intervenes. Monitoring every action every user takes simply isn't operationally feasible, and even when we try, the research suggests that a verification culture can actively damage the trust it claims to protect, pushing behaviours underground rather than eliminating them. ‘Guardrails’ appear to be a reasonable compromise — constrained environments where creativity is permitted within defined boundaries and toolsets. But a motivated employee with a company credit card can bypass most of them before lunch. There's no clean answer here. Which is why I'd love to hear from you 🫵:
- 1.
What balance have you found between giving staff the flexibility they want, and keeping them from making expensive mistakes?
- 2.
How do you divide your controls — what's enforced through culture and what through technology? And which works better?
- 3.
Here's a controversial one: do you think "trust, but verify" is fundamentally broken as a model — and if so, what should replace it? Zero Trust architecture? Outcome-based accountability? Something else entirely?
I'll start: I think the phrase does more harm than good. It gives organisations the comfort of sounding rigorous without the discipline of actually being rigorous….
