Hurdles and Guardrails

My mom asked for my help over the weekend with troubleshooting Zoom on her laptop. The microphone wouldn’t work. She could be seen by everyone else but not heard. After monkeying around, I figured out the underlying problem. Zoom wasn’t at fault (surprise). The laptop’s OS (Windows 10) implements a privacy setting that disables microphone usage by default. Once that setting was turned off, my mother could be heard on Zoom calls.

This moment struck me as a strange case of good ‘ol ‘“It’s not a bug, it’s a feature.” I am thrilled to see such a security control as a feature on a laptop. I am not thrilled that I have to troubleshoot what I thought to be a bug to find out about it. The frustration wore off, but a thought lingered.

Security is often seen as getting in the way of day-to-day operations. Why do I hesitate each time my phone prompts me for an update? Because updates get in the way of my normal phone usage. Security can be seen as a bug, not a feature. Any way to bypass that hurdle allows things to operate “as normal.”

But such thrashing is reckless. I enable the microphone on my mom’s laptop. Problem solved. But what if I forget to lock it down again to only work with trusted applications like Zoom? What happens if she clicks a link and a hidden application starts recording her microphone? You may bypass the hurdle, but you’re headed straight off the cliff.

And that comes from viewing security as a hurdle rather than as necessary guardrails. What fascinates me about cyber security is this tension between being a hurdle and a guardrail. Companies realize how important it is to have these guardrails in place, but at times they can feel like hurdles employees need to bypass in order to get their real work done. The nuance seems to lie in getting people to see what these guardrails are protecting people from, not where they’re preventing them from going.