Barn-raising is an effective way to build software, especially open source software. Everyone brings their tools in trade and contributes wherever they see the need.

Security is the exact opposite, though.

Bottom-up security means, for example, going to others and asking them to turn on 2FA. Well, you won’t get more than maybe 50-60% cooperation that way. And if you are defending a company against active attackers, that means half the company is vulnerable—thus making the entire company vulnerable.

Consistent application of security measures at scale is a cornerstone of an effective security strategy.

Security risk management is half technical and half organizational. A lot of security work is not rocket science, it’s the challenge of getting lots of people to do X and to consistently always do X. There's a name for that problem space, and that's “management”.

If security is voluntary, then you’ll have wide open weaknesses an attacker can exploit.

What this means is that there is always security governance taking place, whether you like it or not, whether you choose to drive it or not.

To repeat: Security governance always exists, whether you choose to take the steering wheel or not.

Refusing to govern is to refuse to take the steering wheel, and to choose anarchy. With respect to principled anarchists, anarchy is not an effective way to militarily defend a country, a city, a tribe, a company from outside attackers.

When barn-raising tech startups grow up they are often loathe to make this adjustment. They face the growing pains of a transition from bottom-up builder culture to top-down security culture.

If you work for a high-risk, highly-targeted company, then you have no choice but to make this transition. Because if you don’t, you will get rekt.

This transition is the corporate equivalent of being a teenager. As big as an adult, but with the mind of a child, teenagers throw tantrums like two-year olds, and as a result some teenagers don’t survive. For all the reasons we all know.

There are self-destructive tendencies at play here, and a perverse desire for taking unnecessary risks.

The test of character for a teenager, as for a growing company, is the ability to grow up.

Security governance always exists. It’s always there. Whether you like it or not, whether you want it or not, whether you take the steering wheel or not.

You can ignore it at your peril, and you refuse to govern to your detriment. But bottom-up security is an oxymoron, not just completely ineffective but actively counterproductive and harmful, and pursuing such a strategy—either willfully or by accident, by default—is a refusal to engage with reality that can only cause your company harm in the long run.

Security, by definition, is a top-down activity, whether you like it or not.