The Importance of Feeling Secure

Security teams that focus only on being secure, without making protections visible, risk losing stakeholder confidence. Nobody trusts what they can't see, whether that's automated defenses, AI-driven tools, or competent but quiet leadership.

Feeling secure is different from being secure. Cybersecurity professionals usually interpret this as a warning that enterprises pay lip service to security without acting on it. The inverse is just as important. As we automate and outsource more of our defenses, the gap between what’s protected and what feels protected widens. Merely being secure is often insufficient if the subject doesn’t feel secure.

Feeling Secure vs. Being Secure

Back in 2007, Bruce Schneier wrote In Praise of Security Theater, arguing that “security is both a reality and a feeling.” That tension hasn’t eased. He explained:

“The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. […] But security is also a feeling, based on individual psychological reactions to both the risks and the countermeasures. And the two things are different: You can be secure even though you don’t feel secure, and you can feel secure even though you’re not really secure.”

Bruce brought up the example of hospitals placing RFID bracelets on newborns to alert staff if someone removes the infant. The chance of abduction is very low, yet the “bracelets are a low-cost way to ensure that the parents are more relaxed when their baby was out of their sight.” Making people feel secure has value even when the measure doesn’t address a meaningful risk.

You can listen to Bruce discuss this concept in his TEDx video below:

The Importance of Feeling Secure

Humans sometimes make seemingly irrational decisions that have reasonable explanations, because emotions often play a bigger role than logic. Even when we take actions that make the organization more secure, that might not be enough. We also need to make sure the people we’re protecting can see and feel the benefit.

A few examples illustrate this:

When we automate routine protections, from patching to cloud configuration, leadership may ask, “What does the security team actually do?” Invisible protection doesn’t register as protection. Even when automation handles real risks, we need to surface the work so stakeholders recognize the value.
We can strengthen our company’s security posture and manage IT risk effectively, but management may still feel insecure unless we capture the right metrics and offer meaningful reports.
We may deliver competent findings in a security assessment. But unless the deliverable includes a comprehensive review of methodology and results, the client may feel unsatisfied with the engagement.
A company may select a security service provider based purely on polished sales interactions and marketing documents. Such collateral can make the prospect feel secure, regardless of the vendor’s actual capabilities.
An AI-powered security tool that autonomously triages alerts and closes false positives can reduce analyst workload. But if our team can’t see the reasoning behind each decision, they may distrust the automation. Many revert to manual processes. Showing the AI’s reasoning matters as much as improving its accuracy.

Being secure and feeling secure are distinct but interrelated, and both require our attention. The dashboards, reports, and transparent processes that build confidence are themselves security controls. Making protection visible is as much a part of the job as making it effective.

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. He has built security products and programs from early stage to enterprise scale. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →