'Inside Security' with Max Louthain (Staff Security Engineer, Arcadia)

In previous editions of Inside Security, we've explored the cultural challenges that plague security teams and the evolution of cloud-enabled social engineering. But there's another crisis quietly undermining security organizations across the industry: the relentless cognitive burden of fragmented tooling and the context switching that comes with it.

This edition features insights from Max Louthain (Staff Security Engineer at Arcadia). Max is a seasoned security engineer who has operated across the full spectrum of organizational maturity – from the deep specialization and scale of Amazon to the hyper-growth challenges at Unity, and now to the fast-paced environment of the clean-tech startup, Arcadia. His perspective reveals a harsh truth: while we've gotten better at detection and prioritization, we're systematically burning out our security engineers with poorly integrated systems.

The Adaptability Imperative

Security engineering has evolved into a discipline that demands unprecedented adaptability. As Max observed from his transitions between organizations:

"Security engineers need to be adaptable, especially when they come into a new role. The goal is still effectively the same, but the way the goal is met is completely different. This adaptability requirement stems from a fundamental reality: security teams must slot into existing business operations rather than drive wholesale cultural change. At large organizations like Amazon, this means operating within clear ownership boundaries and deep domain expertise. At hyper-growth companies like Unity, it requires balancing the rapid scaling of security programs with the velocity demands of an expanding business. At startups like Arcadia, it means wearing multiple hats while maintaining closer proximity to business objectives."

The most successful security engineers understand this distinction and focus relentlessly on protecting the organization's crown jewels – whether that's customer data, trade secrets, or brand reputation. The challenge lies not in identifying these assets, but in protecting them effectively across radically different organizational contexts.

The Context Switching Tax

Perhaps the most overlooked cost in modern security operations is the "context switching tax", in other words the cognitive overhead of constantly bouncing between fragmented tools and incomplete information systems.

"If the security stack is fragmented, then you have multiple tools that cover various controls or parts of the software development lifecycle. You need a decent understanding about how they work, what they cover, what their blind spots are, what their tendency is for false positives."

This fragmentation creates a cascade of problems:

1. ‍Mental Exhaustion: Engineers must maintain working knowledge of multiple disparate systems, each with its own interface, logic, and limitations‍
2. Increased Error Rates: The constant need to stitch context manually increases the likelihood of human error, especially when tools don't communicate with one other‍
3. Velocity Reduction: Teams spend more time orienting themselves to different systems than actually solving security problems

The issue persists even in supposedly "cohesive" platforms that attempt to cover multiple domains. Understanding how these tools work across different problem sets and how their information interconnects remains a significant cognitive burden.

The 80/20 Reality Check

One of Max's most practical insights centers on applying the 80/20 rule differently based on organizational maturity. For startups, the focus should be on that crucial 80% – the fundamental security practices that provide the most risk reduction for the least effort.

"In a startup, you really want to focus on that 80% because 80% of the risk reduction or impact comes from maybe 20% of the effort. For larger, more mature organizations, that 80% is typically handled by established tooling and processes. The challenge becomes optimizing the remaining 20% – work that demands significant engineering investment but yields incrementally smaller returns."

This distinction has profound implications for team structure and resource allocation. Startups need security generalists who can rapidly identify and address the highest-impact vulnerabilities. Large organizations need specialists who can squeeze efficiency gains from already-mature systems.

The Ownership Crisis in Vulnerability Management

No discussion of modern security challenges is complete without addressing the persistent ownership crisis in vulnerability management. While detection capabilities have improved and prioritization is getting better through context enrichment, the fundamental question of who owns remediation remains largely unsolved.

"It's really hard to conceptualize what a perfect world would look like. Of course, developers would care enough about security that they would always be checking and not introducing vulnerabilities. But they're not hired to do that. They're hired to build a product."

This tension reflects a deeper structural problem. Organizations expect developers to write code, manage infrastructure, and now handle security responsibilities – all while maintaining velocity on feature development. Meanwhile, security teams lack the application-specific knowledge required to fix issues across multiple codebases.

The most progress comes from empathy on both sides: security teams understanding developer workflows and constraints, and developers recognizing the real business impact of accumulated security debt. But how often does this statement, or some version of it, make rounds in blogs and on LinkedIn, only to resurface repeatedly, telling us that this mutual understanding remains far from reality in most organizations.

The Tech Debt Reality

Perhaps the most sobering aspect of modern vulnerability management is the inevitability of technical debt accumulation. As Max points out:

"You're always going to be accumulating tech debt. Even if you were trying not to, and that was your main priority, you would still accumulate tech debt, because not every vulnerability is known at the time you're shipping code."

This reality demands a fundamental shift in approach. Rather than expecting perfect remediation, organizations should:

1. ‍Plan for Compromise: Accept that systems will be compromised and focus on detection, response, and recovery capabilities.‍
2. Understand Risk Context: When technical debt can't be eliminated, invest in understanding what exploitation would look like and how to detect it.‍
3. Build Response Capabilities: Develop mechanisms to quickly identify when known vulnerabilities are being exploited, even if they can't be immediately patched.

This approach requires security teams to think beyond vulnerability scanners and patch management toward comprehensive threat detection and incident response.

The AI Reality Check

While AI promises to solve many security challenges, Max offers a grounded perspective on its current limitations and potential applications:

"AI is getting slapped like a sticker on every product, and a lot of it is not good, but there is a huge amount that is good."

The most promising AI applications in security focus on specific, well-defined problems rather than attempting to solve everything at once. Examples include:

• Explaining complex security concepts in plain language for non-technical stakeholders
• Providing contextual guidance during security investigations
• Assisting with threat modeling for specific applications
• Automating routine analysis tasks that currently require manual effort

However, Max cautions against viewing AI as a silver bullet:

"Right now, it seems like there's so much money and power being spent on generalized models. I hope to see more companies having more finely tuned models that solve real problems, instead of being a solution looking for a problem to solve."

Actionable Recommendations for Security Leaders

Based on Max's insights across multiple organizational contexts, several practical recommendations emerge:

For Startup Security Teams:

• Focus ruthlessly on the 80% of security practices that provide maximum risk reduction
• Build flexibility into team roles to avoid blocking on single projects or tools
• Maintain autonomy to pivot to unblocked work when dependencies arise
• Prioritize understanding business assets and crown jewels over comprehensive coverage

For Enterprise Security Teams:

• Invest in reducing context switching overhead through better tool integration
• Develop specialists who can optimize the remaining 20% of security practices
• Build empathy bridges between security and development teams
• Focus on detection and response capabilities for unavoidable technical debt

For All Security Organizations:

• Resist the temptation to solve cultural problems with technical solutions
• Acknowledge that perfect security is impossible and plan accordingly
• Use AI for specific, well-defined problems rather than general automation
• Measure success by business enablement, not just security metrics

Conclusion: Security as Resource-Constrained Development

Max's perspective ultimately reframes security engineering as "resource-constrained development practice" – a discipline bounded not just by technology, but by time, organizational maturity, and business context. This framing demands that security leaders think beyond technical controls toward the human and organizational factors that determine success.

The most successful security organizations recognize that their purpose is to help the business make money by protecting critical assets. This requires not just technical expertise, but the ability to operate effectively within existing business processes and constraints.

As the security industry continues to mature, the organizations that thrive will be those that can balance technical rigor with business pragmatism, deep specialization with adaptive flexibility, and comprehensive coverage with focused impact. The future belongs to security teams that can navigate complexity without losing sight of their fundamental purpose: enabling business success through risk management.

The context switching crisis is real, but it's not insurmountable. It requires intentional design of both technical systems and organizational processes, guided by a clear understanding of what matters most to the business. For security leaders willing to embrace this challenge, the opportunity to build truly effective security programs has never been greater.

. . .

A huge thanks to Max for sharing his insights with us on 'Inside Security'. You can connect with him on LinkedIn.