The Five Stages of Security Grief

7 min readFeb 11, 2018

The cycle of Security Governance and Management is quite predictable.

Now, for those of you with some kind of Security certification, you will be thinking that I will discuss things like Assessments for Threat, Privacy or Security. This might be followed by Plans of Action, or Testing, or Incident Response. All these things are lovely, and appropriate, and ensure your leadership can trust you to have a plan. Great. But that’s not what I’m talking about.

In order for an organization to truly manage Security, the Security Professional must help people through the stages where they understand what Security is, how it impacts them, how their professional lives will never be the same no matter how much they wish it to be otherwise, and how to live in the new normal. I like to call this the Five Stages of Security Grief.

DENIAL

It is easy to diagnose folks in this stage. Apart from their shocking lack of security around their own personal information security (will you PLEASE stop taking those Facebook polls which reveal the answers to your password reset questions?), when asked they will give you a blank stare and quite adamantly pronounce that “no one cares about my stuff” and “I’m not a target”.

This is closely followed by people who think Security is a “tech thing”, and that since they don’t “do tech” they can’t possibly take responsibility for any Security activities. Or worse, they are convinced there is a magical unicorn tool that will solve all Security problems if we just had the money to buy it (Quite a few Security salespeople suffer from a similar delusion). Until then, they will deny they have any role to play in keeping things Secure.

Now, don’t confuse my frustration with folks in denial with lack of sympathy for them. If I had my way, I wouldn’t have to worry about Security either. I would go about my happy way, giving Amazon access to drop packages off inside my front door, and giving my work badge to a visitor so they can more easily enter a restricted office, and share my password with my team in case I’m unavailable. Makes perfect sense.

My frustration is with people who, despite a lot of evidence to the contrary, refuse to acknowledge the need for concern or a change in thinking. Worse, when some Security Incident happens, they act all surprised. At least, that is, until they enter the next stage of Security Grief.

Anger

Anger is a completely rational and reasonable response to an unplanned negative event of any kind. Why should Security events be any different? As a Security Pro, my anger response occurs when someone previously in Denial says:

“But How Could This Happen?”

But no, I won’t respond with a pithy, sarcastic one-liner because that would be a career-limiting move. Instead, I’ll empathize with them how sad it is that there are bad people out there (kids these days!), and what’s the world coming to, and we’ve already got so much to think about without this too.

I won’t remind them of the last vulnerability report that showed how long it is taking to remediate known bad systems, or their lack of engagement in the systems projects where Security risks were examined, or their willingness to pull something out of quarantine and send it anyway. Or whatever. OK, I will remind them — just not right away (see Bargaining, below).

Sometimes, I recognize that they couldn’t have known something would happen. Or, they made a risk acceptance decision that, in hind sight, was a mistake. In this situation, I sympathize with their anger, and offer to join them in a Security Memorial Wake at the local establishment of their choosing. Because sometimes life is like that.

Once the blood-pressure raising, sweat-inducing hormonal effects of Anger die away, we then get to the next stage.

Bargaining

This is an interesting phase, because here is when they start looking for the silver Security bullet that will solve all their Security problems without them having to do anything different.

This is the time when the Security Professional can remind them of the clues they’ve been dropping at their feet like rose petals, which would have indicated that the Bad Thing was going to happen. Reintroduce them to the warnings that popped up when they tried to email restricted data somewhere inappropriate, to the dashboards and other KPIs that management are supposed to be responding to. Re-introduce them to Industry reports and regulations about the state of Security and Privacy in their industry that they hadn’t previously had time to read.

Feel free to completely overload them with information during this phase. It will keep the phase short, and allow them to see that all those previous times you’d tried to schedule meetings with them, or to present security topics to their teams, or include Security related items in Company communications, had a purpose. It will also help them begin to understand that the job of Security cannot be done by the Security team alone — that it’s complicated and ever-changing and distributed.

This will help them move to the next phase.

Depression

Here is the phase where the Security Professional can be most helpful. This is the point when the individual has realized that Security is a problem that won’t go away without their direct and intentional engagement, and they don’t like it.

Not. One. Bit.

This is the time, however, to remind folks of the benefits of working with a Security mindset. To remind them that an IT organization who prioritizes Security controls sees less outages and therefore they get to spend more uninterrupted family time. That a hospital which applies Security controls SAVES LIVES. That a manufacturing company who cares about Security sees cheaper manufacturing costs which might be passed on to consumers. That parents who care about Security have tools to assist their kids be better online citizens. etc. etc.

Which brings them to the next stage:

Acceptance

I’ll be the first to admit, having a company full of people Accepting Security is nice to have, and most Security Professionals do not live in such a world.

I am greedy, so I don’t think acceptance is enough — I want full-hearted partnership and endorsement of Security as the cornerstone of a well-run organization. I want an understanding that a company cannot deliver on its mission and vision if it does not pay attention to Security issues. That Security is therefore a C-Suite function, like Operations and Sales and HR and Finance.

So What is a Security Professional To Do?

The biggest challenge to Security Pros is not the decisions about which tools to deploy, or metrics to use, or getting more budget. It’s that Security is, for each and every person in your organization, a PERSONAL problem. And the Security Industry has not yet worked out how to create a scalable grief recovery method that allows everyone to progress quickly through these stages. So, you might have a Board that is fully accepting that the world, and therefore their priorities, have changed. But the Line Manager making decisions about where and how to deploy HVAC sensors still thinks Security is someone else’s problem.

It’s for this reason that Security Pros need more than Security certifications to do their jobs. They need at least a Minor in psychology or counselling, so they can walk beside folks and offer them a Recovery program for their Grief. They need to stop focusing on technical reporting, and instead focus on organizational cultural health which allows for risks and issues to be shared without penalty.

We need industry support. This means Vendors who stop offering magic solutions; Regulators who acknowledge that compliance is hurting, not helping, to win hearts and minds; and Government agencies who quickly and efficiently share information with the Private Sector (and a Private Sector who shares right back).

It would seem that, just like death and taxes, Security issues are a certain thing. And, just like death and taxes, we will all need to work continuously to prepare for and respond to Security events. Let’s recognize, however, that everyone is on their own Security journey. That they are in different stages of grief, and that the role of the Security Professional is to help guide the way to a better understanding of the new normal.