When Security Controls Quietly Increase Risk

Why overly complex cybersecurity measures can undermine the business

When implementing cybersecurity solutions we need to think beyond protection, we must also consider risk, productivity, cost, and trust. Many organisations equate “more security” with “better security.”

In practice, introducing overly complex or misaligned security controls can reduce resilience, reduce productivity, increase hidden risk, and erode operational efficiency, without leadership visibility.

Security that looks strong on paper can fail quietly in the real world.

The Unintended Consequences of “Stronger” Controls

Well intentioned security initiatives can introduce risk when they conflict with how the business actually operates.

Examples include:

• Restricting copy and paste to prevent credential leakage, leading staff to store passwords in unprotected notes or documents.

• Auto generating complex passwords without allowing user defined passphrases, encouraging written credentials..

• Overly aggressive session timeouts or access restrictions, resulting in shared logins or permanently open sessions.

• Excessive security prompts and friction, causing alert fatigue and disengagement.

  
  

From a leadership perspective, the concern isn’t the control itself, it’s the behaviour it drives. When employees routinely work around controls, risk moves out of sight and out of governance.

Overly Complex Strategies Undermine Executive Accountability

Driving cybersecurity initiatives without aligning them to how the business operates is fundamentally flawed. Security cannot exist in isolation, it must integrate with business processes to enable, not obstruct, delivery.

Security controls are less likely to fail because people are careless. They fail because:

• Business performance targets and deadlines remain non-negotiable

• Security requirements are perceived as barriers, not enablers

• The risk being mitigated feels distant, while operational impact is immediate

• Teams are not involved early enough in control design

When controls clash with business reality, staff adapt and those adaptations often invalidate the original security intent.

This creates a dangerous leadership blind spot, formal compliance without real protection.

Effective Security Aligns With How the Business Works

Security that genuinely reduces risk shares a few consistent traits:

• It aligns with operational workflows

• It is easy to follow and hard to misuse

• It reduces risk without introducing new exposure

• It is adopted naturally, not enforced aggressively

  
  

A question to ask before approving a control is simple:

“If this slows the business down, how will people bypass it?”

If the answer is obvious, the control likely needs redesign.

When Less Control Delivers More Protection

In many environments, replacing restrictive controls with enabling ones improves both security and productivity:

• Password managers instead of clipboard restrictions

• Passphrases combined with MFA instead of complexity alone

• Single Sign-On to reduce credential sprawl

• Conditional access based on risk, not blanket denial

• Monitoring and detection instead of brittle prevention

These approaches reduce risk while lowering cognitive and operational burden a critical factor at scale.

Questions We Must Ask Before Approving New Controls

Before investing in or approving a new security measure, executives should ask:

• What specific risk will this reduce?

• How will this affect day-to-day operations?

• What behaviours might this unintentionally encourage?

• Is there a simpler way to achieve the same outcome?

Controls that cannot clearly answer these questions often create more risk than they remove.

Ensuring Security Is About Outcomes, Not Restrictions

Certain roles within the business will always justify tighter controls, sensitive data, regulated systems, high-risk roles. Applying blanket maximum controls everywhere is rarely proportional and often counterproductive.

Strategic organisations design security that:

• Enables people to do the right thing easily

• Makes unsafe behaviour difficult, not unavoidable

• Treats usability as a security feature

• Balances protection with productivity

Security that staff fight is security that fails.

Governance Over Guesswork

For leadership, the real challenge is not choosing more security, but choosing the right security.

Cybersecurity must be embedded into business processes as a strategic enabler, when misaligned, it shifts from driving value to creating friction and blocking progress.

#CyberSecurity #RiskManagement #Leadership #DigitalTrust #Governance #SecurityCulture