Why “Security Is Our Top Priority” Is Empty Talk—and How to Balance Security with UX

Several years ago I was invited—actually sponsored—to give a talk on software security. While preparing the talk I realized a few enduring observations about security that have stayed with me.

Security is endless. You can always invest more effort to improve it, just like quality, employee satisfaction, etc.

Security requirements often clash with the demand for a convenient user experience . Enhancing one side usually harms the other.

Many organizations now proclaim “Security is our top priority.” Is that realistic? Treating an unlimited goal as a top priority sounds like empty marketing. This article helps you interpret such statements and handle security in practice.

A philosophical introduction

What does “Security is our top priority” actually mean?

How much should you prioritize security?

How should companies phrase an alternative statement?

Philosophical Reflection on Balancing Security and User Experience

The infinite nature of security and its balance with UX reminded me of GK Chesterton’s ideas about virtues becoming vices when taken to extremes. A quote from Chesterton illustrates that when a good thing is pursued without balance, it can turn harmful. The same pattern appears when security zealots ignore UX, or when DEI or family‑value movements are pushed to extremes, causing division.

We need a healthy balance among all good things. If you are a security extremist, you can claim you did everything possible even if you get hacked. If you compromise security for better UX and get hacked, defending yourself with “the reality is complex, we prioritized UX” is not a satisfying answer. Defending a non‑extreme stance requires courage.

What Does “Security Is Our Top Priority” Actually Mean?

Is security truly infinite? In theory, yes—banks could lock down all online services, build vaults, and station troops, yet users still prefer convenient methods like facial recognition. Companies such as Microsoft, AWS, and Meta use slogans that sound like absolute security commitments.

In practice, those statements rarely mean that any request to sacrifice UX or price for more security will be implemented. Most organizations have a balanced priority framework, assigning weighted scores to UX, security, technical debt, new features, etc., with security often receiving a higher but not absolute weight.

How Far Should Security Go?

Since my 2018 talk I have used risk frameworks like ISO 14971 and ISO 27001. The process starts with a scoring mechanism: identify assets, assess risks, estimate likelihood and severity, multiply them to obtain a risk score, and map scores to low, medium, or high categories.

If the risk score is low, the risk can be accepted.

If it is medium, consider risk controls unless there is a justified reason not to.

If it is high, risk controls must be implemented.

After controls are in place, verify that they truly reduce risk and that residual risk is now low or negligible.

Defining the boundaries between low, medium, and high risk involves gathering decision‑makers, presenting failure scenarios, and asking what risk levels they are willing to accept, taking into account the impact of any controls on the product or process.

What Should Companies Actually Say?

For decades organizations have handled security, quality, and safety in mature ways. Instead of empty slogans, they should communicate concrete commitments, such as: “We maintain a state‑of‑the‑art security system because without customer trust we have no right to exist; protecting data is one of our most important responsibilities, and we invest heavily in it.” This honest phrasing leaves a stronger impression.