Sign in Subscribe
3 min read

Security That Costs Millions — But Avoids Decisions

Share
Security That Costs Millions — But Avoids Decisions
Prompted by E. Mehler, generated with ChatGPT 2026

What if the real problem in information security is not control gaps ... but our inability to tolerate friction?

By Eckhart Mehler for CISOsCISO — a perspective on cybersecurity leadership, governance and the decisions that determine whether organizations retain control.

In many organizations I work with, the pattern is strikingly consistent. Security investments are rising. Tooling is improving. Certifications are achieved.

And yet, the fundamental question remains unanswered:

Why does security still feel expensive — but not effective?

The Hidden Constraint: Governance That Avoids Friction

We like to believe that governance brings clarity.

In reality, most governance systems are designed to avoid tension.

  • Conflicts between business speed and security are smoothed over
  • Trade-offs are pushed down into projects
  • Decisions are delayed, diluted, or disguised as “alignment”

The result?

A system that looks stable on paper — but is structurally incapable of making hard choices.

And security, more than any other function, depends on exactly those choices.

Security Is Not a Control Problem. It’s a Trade-off Problem.

Let’s be honest:

  • No organization can fully secure everything.
  • No organization can eliminate all risk.
  • No organization can satisfy every regulatory expectation without cost.

Security is the art of deciding where to be exposed.

But this requires something many governance models systematically suppress:

Friction.

  • Friction between global standards and local autonomy
  • Friction between innovation and control
  • Friction between cost efficiency and resilience
  • Friction between compliance and actual risk reduction

If governance is designed to harmonize all of this away, it doesn’t create security.

It creates the illusion of control.

The Real Cost of “Frictionless” Governance

Organizations that avoid friction don’t become faster.

They become indecisive at scale.

What I typically observe:

  • Everything is classified as “high priority”
  • Exceptions accumulate because no one owns the trade-off
  • Security requirements are applied inconsistently across regions
  • Programs grow — but decision quality does not

In the end, security becomes:

  • Expensive
  • Bureaucratic
  • Detached from actual risk

Not because people are incompetent.

But because the system is designed to avoid uncomfortable decisions.

Governance That Works: Designed for Tension

If we want security to deliver value, governance must change its purpose.

Not from control to control. But from control to decision-making under tension.

This means:

1. Make Trade-offs Explicit

Every major security initiative implies a trade-off.

  • Speed vs. assurance
  • Standardization vs. flexibility
  • Cost vs. resilience

If these are not explicitly decided at the right level, they will be implicitly decided everywhere — and inconsistently.

2. Define Decision Rights — Not Just Responsibilities

Most organizations define who is responsible.

Far fewer define who is allowed to decide under conflict.

Without clear decision rights:

  • Security escalates endlessly
  • Business bypasses controls
  • Governance becomes theater

3. Accept That Not Everything Can Be Harmonized

Global organizations in particular struggle with this.

They try to standardize everything — and end up enforcing nothing consistently.

Real governance acknowledges:

Some tensions are not solvable. They must be managed.

4. Design for Productive Friction

Friction is not failure.

Friction is a signal that real trade-offs are being confronted.

Good governance does not eliminate friction.

It channels it into structured decision-making.

The CISO’s Role: From Control Owner to Decision Architect

This is where the role of the CISO fundamentally shifts.

Not as the person who “owns security.”

But as the one who makes trade-offs visible.

  • Where are we accepting risk — consciously or by default?
  • Where are we over-investing without reducing exposure?
  • Where does governance prevent decisions instead of enabling them?

Because in the end:

Security does not fail because controls are missing.

It fails because decisions are not made where they matter.

A Final Thought

Organizations don’t lack frameworks.

They don’t lack controls.

They don’t lack awareness.

What they often lack is the willingness to build a system that can handle this:

Disagreement. Trade-offs. Irreversible choices.

In other words:

Friction.

Until governance is designed to withstand it,

information security will remain expensive —

but never truly effective.

Security is not a control system.
It is a decision system under tension.

And governance is where that tension either breaks…

or creates value.

Publication Note & Disclaimer
This article was originally published on LinkedIn on March 27, 2026 and may have been edited or updated for publication on this site.

It reflects my personal professional perspective and does not represent the official policy or position of my employer. Drafting and editorial refinement may have been supported by commercially available AI-assisted tools. The analysis, conclusions and final curation are entirely my own.

For information regarding image credits, copyrights, trademarks and other intellectual property rights, please refer to the Imprint.

Published by:

Eckhart Mehler

Member discussion