When it comes to enterprise security, the goal isn't to block risk, but to shape how risk is understood, absorbed, and reduced while the business continues to move. In complex enterprises, risk can't be eliminated without eliminating opportunity. The discipline lies in making risk visible, defining clear tolerances, and engineering controls that allow teams to innovate within boundaries that are deliberate rather than accidental.
Security, in this model, becomes a mechanism for informed decision-making instead of a reflexive brake on progress. “The business will figure out how to do this, and you can be in the way of that or you can enable that,” says Mike Coogan, Vice President and Chief Information Security Officer at Brinks Home. For Coogan, enterprise security is an operating system that allows innovation to scale without creating fragility.
When Security Stops Blocking and Starts Enabling
With more than two decades leading complex IT environments, Coogan has learned that security leadership must be both strategic and human-centered, tracing a pivotal shift in his thinking back to a large-scale cloud migration in 2013. At first, he approached Amazon Web Services (AWS) as if it were simply another data center. “I know how to go build firewalls. I know how to go build log retention systems. We’ll just go do that,” he recalls. The plan was to replicate traditional controls in a new environment.
However, as development teams embraced microservices and rapid provisioning, Coogan recognized a hard truth. No private enterprise, even at Fortune 200 scale, could match the security investment of hyperscale providers. “I will never get the budget, meaning people and technology and processes, at the level of Amazon to protect my data. Period. End of conversation.”
Instead of resisting, he reframed the role of security. The question became how to leverage cloud providers’ capabilities, validate their assurances, and align contracts and controls with internal risk tolerance. That shift marked the moment security moved from obstruction to enablement.
The Real Source of Enterprise Fragility
If speed and security can coexist, why do so many enterprises struggle? Coogan says it comes down to incentives. “Incentives probably create fragility fastest at enterprise scale,” he says. When teams are rewarded solely for rapid delivery, nonfunctional requirements erode.
Maintainability, recoverability, and security are often treated as secondary attributes. The pressure to ship can crowd out second- and third-order thinking. “If all the nonfunctional requirements start to fall by the roadside, that’s where fragility shows up.” Coogan argues for aligning incentives with disciplined IT practices. If organizations reward teams for doing the correct thing from an architectural and operational perspective, resilience follows. Without that shift, even well-designed controls will struggle to hold.
Designing a Fast Lane with Guardrails
The answer isn't heavier review cycles or reactive scanning but clarity. Developers can't push code without security and infrastructure review. When they follow established patterns, they should move quickly. Coogan describes these patterns as secure architecture guardrails. If a team implements a known design, it should “fly through that process.” Security teams are responsible for defining those paved roads because many developers aren't trained in enterprise security standards at the expert level.
Many so-called secure-by-default practices miss the mark. Post-development code scanning that produces long lists of findings often frustrates both sides. “No one wants to be handed a book full of code flaws. That’s just frustrating to everybody involved,” Coogan says. Developers may ignore findings or executives will accept risk simply to keep momentum.
Compliance frameworks can also create drag when they offer too many options. Rather than broad standards with a hundred possible interpretations, Coogan favors prescriptive guidance. Clear identity models, defined access provisioning, and consistent architectural choices reduce ambiguity and accelerate delivery.
AI, Assurance, and the Next Leadership Divide
Artificial intelligence (AI) will reshape security operations. “AI is good at understanding patterns,” Coogan says. The chronic flood of false positives that overwhelms security operations centers can be triaged by models that classify events as likely true or false. Whether it’s a suspicious file transfer or a motion alert triggered by a passing animal, AI can provide probability and context. Humans still make final decisions, but the screening layer becomes dramatically more efficient.
Over the long term, Coogan argues that software supply chain assurance will become a defining priority for enterprise security leaders. Organizations must certify tools individually, determine what data can reside in each system, and validate that assurance levels align with their risk management framework.
This work is complex. It may mean treating cloud providers differently based on contractual protections and control coverage. Frameworks such as FedRAMP demonstrate the power of standardization and predictability at scale. Most enterprises lack that influence, which makes disciplined governance and continuous controls monitoring even more critical.
Balancing speed, innovation, and security is about better integration. Enterprises that treat security as an operating system, align incentives with resilience, and invest in assurance can move quickly without becoming brittle. “The business will dictate the conditions of its own success. You can be in the way of that or you can enable that.”
Follow Mike Coogan on
This story was distributed as a release by Jon Stojan under HackerNoon’s Business Blogging Program.