The Security Mindset Problem

Security requires a particular mindset. Security professionals (at least the good ones) see the world differently. They can't walk into a store without noticing how they might shoplift. They can't use a computer without wondering about the security vulnerabilities. They can't vote without trying to figure out how to vote twice. They just can't help it.

Bruce Schneier coined the term "security mindset" years ago, and it's a useful concept. These are the people who spot the flaws in systems that everyone else walks past without a second thought. We need these people. But here's the thing about security mindset: it's a double-edged sword.

The Car Pickup Problem

Let me tell you a story.

A few weeks ago, I dropped my car off at the dealership for service. Routine oil change, nothing exciting. I took the shuttle to work, they called me when it was ready, and I walked over to pick it up. I told the service advisor I was there for my car,. She looked up from her screen: "Last name?"

I told her. She typed it in, found my service ticket, and called for the car to be brought out. I drove off. Easy.

It wasn't until later that I realized: I hadn't shown any ID. I'd just said my last name, and got my car.

Now, if you have the security mindset, alarm bells are going off in your head. Anyone could walk in, give a common last name, and drive away with the keys. No damage, freshly washed. You could eavesdrop on customers in the morning, ride the shuttle and make small talk to learn names, or just try "Smith" and see what happens.

But here's what I want you to notice: that dealership has probably never had a car stolen this way. Not once. And they've been operating for decades.

When the Consultant Shows Up

Now imagine this same dealership hires a security consultant. The consultant walks through the service centre with fresh eyes (security eyes) and immediately spots the pickup "vulnerability."

"This is a problem," they report. "Anyone could pick up a car with just a last name."

Never mind that it's never happened. Never mind that the customer who just dropped off their car, who just chatted with Sarah about the weather and their kid's hockey tournament, will now be interrogated like they're trying to cross a border. The consultant has imagined a problem, and imagination is enough.

So they implement a fix. Now you need your driver's licence. A confirmation code texted to your phone. Maybe they check your signature against some form you signed six years ago when you bought the car. Sarah, who knows half her regulars by name, now has to pretend she doesn't recognize you while the computer runs its verification dance.

Security theatre, performed for an audience of no one, solving a problem that exists primarily in the minds of people paid to imagine problems.

Why the Dealership Can Get Away With It

Here's the thing: car theft is prosecuted. If someone walks into that dealership and drives off with your Corolla, you report it stolen. We assume the police actually investigate, but here in Canada we know they won't and insurance will just pay for it. Still, the thief (if caught) faces years in prison for grand theft auto (technically "theft of a motor vehicle" in Canada, but GTA sounds better!). Cameras captured their face. The car's plates get flagged. Two-thirds of stolen vehicles are recovered.

Even potential thieves do a risk-reward calculation. The ease of saying "Johnson" and hoping for the best is offset by the very real chance of doing serious prison time. The deterrence model actually works for physical crime in a way that makes heavy-handed prevention at the point of pickup somewhat redundant.

The service centre's "lax" security isn't actually lax. It's appropriately calibrated to a threat model where consequences exist and are enforced.

Now Let's Talk About Computers

The digital world is different, and here's where the security mindset becomes both more necessary and more prone to excess.

Online, the volume of potential bad actors is seemingly endless. Someone in another country can try to compromise your account thousands of times a day, and the "police" aren't coming. Cybercrime is barely prosecuted unless you embarrass a major corporation or steal from the wrong people. The risk-reward calculation for attackers is completely different: high reward, almost zero risk.

So security teams respond the only way they know how: they add friction. Lots of friction.

The 2026 Reality

It's 2026, and I'm exhausted.

I spent twenty minutes yesterday trying to access a service I've used for years. New device, they said. Please verify. Click the link we emailed. Now enter the code we texted. Now confirm your identity with (I kid you not) a selfie holding my driver's licence next to my face.

For a service that has my credit card on file. That I've been paying monthly for three years.

And this is everywhere now. Biometrics. 2FA on top of 2FA. Uploading government ID to companies I'm not sure I trust with my government ID. Face scans that feel like CBSA checkpoints for buying socks online. Security questions asking for my first pet's name and my mother's maiden name, information that's probably in three breached databases already.

Every service has become paranoid. Every login is an interrogation. And somehow, the breaches keep coming.

The Security Team's Dilemma

Here's what I've come to understand about why this happens.

Being in infosec is a rough life. When you get breached, you're blamed. It doesn't matter if the attack was novel, if your budget was a tenth of what you needed, if the CEO clicked the phishing link himself. The breach is your fault. Your career is on the line.

So security teams spend their days red-teaming, imagining increasingly outlandish ways their systems could be compromised. And for each imagined attack, they add a hoop. Another verification step. Another authentication layer. Another way to prove you are who you say you are.

The product accumulates hoops like barnacles. The user experience degrades. And then (inevitably) some attacker gets creative in a way nobody imagined, breaches you anyway, and now you have the worst of both worlds: horrible UX and you're still getting breached.

The Car Dealership Knew Something

Maybe Sarah at the service counter had it right all along.

Security isn't just about preventing bad things. It's about proportionate response to actual risk. The dealership didn't need biometric verification to pick up your oil change because the consequences for car theft are real and enforced. The friction of heavy security would have cost them customer goodwill for essentially zero security benefit.

Digital systems don't have that luxury. The cops aren't coming for the person who brute-forced your password from across the globe. So we build walls because we can't rely on consequences.

But somewhere along the way, we lost the proportionality. We started treating every login like a potential heist. We made every user prove (over and over) that they're not an attacker, even when they're just trying to check their email.

The security mindset is essential. But so is knowing when to turn it off.

Maybe the solution isn't more hoops. Maybe it's finally deciding, as a society, that cybercrime deserves the same investigative resources and consequences as the guy who walks into a Toyota dealership and drives off with someone else's car.

Until then, I'll be here. Clicking the button. Waiting for the code. Holding my licence up to my face like a suspect in my own life.