Why “Security Is Our Top Priority” Is Misleading: Balancing Safety and UX

Several years ago I was invited to give a talk on software security—not because I was personally selected, but because my company bought a sponsorship package that included a speaking slot. While preparing, I realized a few enduring security insights.

Security is endless . You can always invest more effort to improve security, just as with quality, employee satisfaction, and other domains.

Security requirements often conflict with convenient user experience . Enhancing one aspect usually harms the other.

Many organizations claim “security is our top priority.” Is that realistic? Empty marketing slogans can be frustrating. In this article I explain how to interpret such statements and handle security in practice.

A philosophical introduction

What “security is our top priority” actually means

How much emphasis you should place on security

How companies could phrase this claim more honestly

Philosophical Thoughts on Balancing Security and User Experience

The infinite nature of security and its balance with UX reminded me of GK Chesterton. He observed that when virtues are pursued to extremes, they can become harmful. The same pattern appears when security zealots ignore UX, or when DEI initiatives are taken to extremes, creating division.

“Modern society is not evil; in some ways it is overly good. It is full of wild, wasted virtues. When a religious system is shattered, not only vices are released but virtues too, roaming wildly and causing greater destruction.” – GK Chesterton, *Orthodoxy*, 1908

Chesterton’s point is that good things can become bad if over‑pursued or isolated. Security extremists may over‑engineer defenses, while UX‑focused teams may sacrifice safety. Finding a healthy balance is challenging but essential.

What Does “Security Is Our Top Priority” Actually Mean?

Is security truly infinite? In theory, yes—banks could lock down all online services and still add more guards. In practice, users prefer convenient features like facial recognition, accepting a reasonable level of risk.

Companies actually say it: Microsoft’s “Put security above everything,” AWS’s “Security is the highest priority in the cloud,” Meta’s “Protecting your data is our top priority,” among many others.

But does that mean any suggestion that sacrifices UX or price for more security should be implemented? Of course not. The statement is often a comforting veneer rather than a concrete policy.

In reality, such claims may imply a weighted‑priority framework, e.g.:

“We have a balanced priority framework: 20% UX, 25% security, 10% technical debt, 20% new features, etc. Risk is top priority because 25% > 20%.”

Or they might mean:

“Security, at an industry‑standard level, is our top priority. Once sufficient safeguards are in place, we focus on other concerns.”

I invite readers to share truly honest security statements in the comments.

How Much Security Should We Implement?

When I gave the 2018 talk, I didn’t know where to draw the line. Since then I’ve used risk frameworks like ISO 14971 and ISO 27001. The process starts with a scoring mechanism: identify assets, enumerate risks, assess likelihood and severity, multiply them to obtain a risk score, and map scores to low, medium, or high categories.

If the risk score is low, the risk can be accepted.

If it is medium, consider risk controls unless there’s a strong justification not to.

If it is high, risk controls must be implemented.

After controls are in place, verify that they truly reduce risk and that residual risk is now low or negligible.

Defining the boundaries between low, medium, and high often involves workshops with decision‑makers, presenting failure scenarios, and asking what level of risk they are willing to accept given the impact of controls.

This simple scoring system—risk matrix, risk‑tolerance policy, and risk register—helps make consistent decisions.

What Should Companies Actually Say?

For decades, mature organizations have handled security, quality, and safety in a balanced way. We should highlight companies that truly practice this, not those that merely claim it. An ideal statement might be:

“We maintain a state‑of‑the‑art security system because without customer trust we have no right to exist; therefore security is one of the most important aspects of our work, and we invest heavily in it.”

Reference Links

[1] "Security Is Our Top Priority" is BS: https://blog.waleson.com/2024/07/security-is-our-top-priority-is-bs.html?ref=edony.ink

[2] Put security above everything: https://blogs.microsoft.com/blog/2024/05/03/prioritizing-security-above-all-else/

[3] In AWS, cloud security is the highest priority: https://docs.aws.amazon.com/whitepapers/latest/aws-overview/security-and-compliance.html

[4] Protecting your data is our highest priority: https://about.meta.com/actions/protecting-privacy-and-security/

[5] "Security Is Our Top Priority" is BS: https://blog.waleson.com/2024/07/security-is-our-top-priority-is-bs.html?ref=edony.ink