This essay examines the multi-faceted meaning of the word “security” (as the word “securitas”) during the Roman era. It is Track IV of a longer concept album exploring what we mean when we use the word ‘security’ (and what it should mean).

You can find all the essays in the “When We Say Security, What Do We Mean?” concept album here:

A marble statue of a goddess uses a laptop. She has a spear on her back and looks erudite and divine.

While a sense of dignity is not the vibe most of us feel when clicking through mandatory cybersecurity awareness training courses, dignity and security were seen as closely coupled concepts in the Roman era.

Cicero, living during the last century B.C., noted that whomever has tranquillitate animi (a tranquil mind) and securitas will have dignitas (dignity)1. Cicero’s meaning of securitas here involves the absence of care or fear as well – and he saw this tranquility of mind as a prerequisite for an individual’s personal happiness and prestige in society. (We will talk about respect and dignity in the context of security more once we time travel to more modern definitions of the word).

A century later, Seneca framed securitas as a mindset[^24], a lovely extension of the existing notion of security as a bundle of emotions. Inspired by Socrates, Seneca viewed securitas – and the absence of the fear emotion[^22] – as how the wise can come closer to god because only a god has no reason to fear death[^23].

Securitas as this nearly-divine mindset quickly morphed into an association with divinity itself during the reign of Nero (the 1st century AD), specifically reflecting the divinity of the Emperor[^25] on coinage. It also started to reflect an environmental vibe rather than emotions or mindset; the surrounding world, the genesis of a subject’s freedom from care, could also be securitas, possessing a peaceful and tranquil atmosphere.

But Seneca also laid the groundwork for coupling the security of the state with security of individuals, in the specific sense of public securitas contributing to the capacity to live according to virtue. In this framing, securitas was explicitly based on mutual trust between the ruler and the ruled.

This reflects yet another semantic deviation with cybersecurity, which is generally mistrustful of any parties outside infosec, including those who should be allies (like software engineers). How else should we characterize the common refrain that any employee is a potential “insider threat”? And the cybersecurity status quo certainly does not seem to foster mutual trust by helping potential allies live well, offering minimal proof that they have the best interests of the collective in mind; if anything, they often prove the opposite.

In fact, Seneca highlights that it is a mistake to think that “a ruler is [only] safe when nothing is safe from the ruler.”2 The pox of “shadow” assets – whether shadow IT, shadow SaaS, shadow containers, shadow APIs – shows that the infosec establishment succumbs to this mistake readily. In fact, infosec’s general fetishization of control – vitalized by vendors – is a continuous realization of this mistake.

As anyone familiar with the motifs of history could predict, the subsequent rulers did not listen to Seneca’s admonition, which eventually led to an explicit rejection of hereditary rulership in the Nerva-Antonine dynasty. (Take that for what you will in the context of our current cybersecurity rulership). This led Tacitus to express the new securitas publica (public security) as the confidence of the citizens that the state will no longer threaten them[^27]. That mutual trust was the core ingredient of securitas during that phase and reflected a check on authority.

It is interesting to ponder the notion of securitas publica in the organizational context; an organization’s citizens would be confident that the enforcers of security policy can no longer disrupt their way of life or erode their pursuit of fulfillment. How many cybersecurity programs might be characterized as such today? How many programs instead feel disruptive, corrosive to productivity, and fostering anything but a “peaceful and tranquil atmosphere”?

Securitas’ confident spirit evolved into meaning of “assurance of faith” (as opposed to doubt) during Roman Antiquity, as espoused by Tertullian and, later, Saint Augustine. This “opposition to doubt” again is at odds with one of the letters of the acronym which defines traditional cybersecurity: F.U.D. (fear, uncertainty, and doubt). As we’ve seen time and again throughout this series (and we’re only into the 2nd - 4th century A.D. here!), the earlier and variegated meanings of securitas fly in the face of traditional infosec. Traditional infosec wants to doubt everything. It takes pride in doubting everything. Assurance of faith is seen as a security sin!3

Speaking of faith, early Roman Antiquity also saw the creation of Securitas as a deity. While the mythos surrounding Securitas, the goddess, is lamentably shallow, it’s worth noting that she was the goddess of security and stability4. Given the evidence from the DORA research and metrics that stability and speed work in tandem and are complimentary, this suggests that if we worship at the altar of security, then we must also worship at the altar of speed.

The Roman god of speed, Mercurius (aka Mercury), was also the god of shopkeepers, merchants, travelers, transporters of goods, thieves, and tricksters. It’s worth noting that the coupling of commerce and prosperity with security is quite common throughout its history (more on this once we get to the 16th century). Traditional cybersecurity, in contrast, often pretends like prosperity is not the primary goal or, worse, views prosperity as a foe to security.

“Why don’t companies prioritize security? Don’t they know THE THINGS can be HACKED??” Well, dear security people, what do you think allows the companies to pay for your six or seven figure salary? It is because they prioritize money that they can afford to spend it on security endeavors that do not remunerate them and often cannot even be tied to tangible success outcomes beyond “we saw these malware samples or known bad IPs this month” spoonfed from vendor dashboards in symbiotic self-perpetuation.

The infosec industry forgets that security, even in its more modern meaning, is not just about protecting threats; it’s about protecting threats against something. In the business context, it’s about protecting threats against prosperity. Through this lens, is it not a victory if a security program waters the seeds of revenue growth? And is the security program not a tragic failure if it chokes and cages this material growth because of a “risk” that exists only as an incorporeal counterfactual?

Between the profligate spending on ineffectual security tools and the obstructionism imposed by security programs, it’s quite possible that the threat to enterprise prosperity by traditionalist information security rivals that posed by actual attackers.

This distinction is also emphasized in the term “national security,” even as we mean it today: national security is about defending threats to what? Liberty, prosperity, the pursuit of happiness… and we rightly dislike security measures that get in the way of these goals (often labeling them as “Security Theater”5).

Thus, we must ask, information security defends against threats to what? Largely the same things, but in businessy and computery contexts. If liberty or prosperity or the pursuit of happiness is choked out by security measures, then security is the threat in itself and the subjects are left in need of security against security6. Indeed, this is where we find ourselves with cybersecurity today.

But we are not yet done with this era. A few centuries after the deification of securitas, its meaning as “carefree” was twisted by religious leaders into an undesirable form: the state of being careless, reckless, heedless, and negligent7.

This notion of security is perhaps closest to the status quo in infosec today, which is quite careless with human (user, developer, colleague) time and attention, reckless with organizational budget, and negligent to design-based security solutions that are more reliable than attempting to control human behavior. The cybersecurity industry is heedless with its FUD-fueled zealotry, fretting about irreleventia while pretending nothing can be done about the grey rhinos charging into our systems.

Securitas was also relevant in the context of “Roman security” and specifically meant the Roman Empire’s peaceful and orderly domination of the world. Would we characterize traditional infosec programs as peaceful and orderly today? Even diehard zealots of the cybersecurity status quo readily admit that much of infosec in practice is firefighting and disorder. A worthy question is: who benefits from this paradigm?

Alas, the Roman Empire declined, as did securitas, whose meanings were largely stolen by the word certitudo. Thus, we must go to the provincial stables of the Middle Ages to continue our semantic safari. The two meanings of securitas not consumed by certitudo included pax (peace) and religious indifference.

The latter meaning persisted (albeit without nearly as much popularity as before) through to Martin Luther in the 16th century, who labeled “die Sicheren” as the people he was fighting against – people who did not truly trust the Holy Spirit and substituted true faith for religious rituals and conspicuous, performative acts. In his time, spiritual unity was preserved “through coercion and violence… dissent from orthodoxy was outlawed, heresy was rooted out and punished by fire and sword.” Luther was excommunicated for his “errors” about the Holy Spirit, including the “error” of believing the Christian god wouldn’t want heretics burned alive.

In our era, the traditionalist Security People put quite a bit of trust in their folk wisdom and rituals, despite their unclear success. It is still counterculture to suggest that humans shouldn’t be punished for security “errors.”8 And does it not benefit the vendors and research analysts to continue spoon feeding this advice to security leaders?

Just as Martin Luther felt centuries past about religious belief, is it wrong to want to reconstruct our entire approach to cybersecurity? Just because power structures are in place, incumbents entrenched, money flowing, does not mean something new, bold, and based on real acts of security rather than displays of it – on outcomes vs. outputs – could not supplant the status quo. Fatalism is not true to our nature as humans and certainly not true to the spirit of the “security” concept as we have seen.

But there is more for us to see and for that, we must venture onward into the pre-Enlightenment period and beyond…

Continue with Track V: The Evolving Meaning of “Security” after the Roman Era (Securitas).


You can find all the essays in the “When We Say Security, What Do We Mean?” concept album here:

The cover art for the album with the title: What do we mean when we say security? It depicts an island floating in a sky filled with rainbow and pastel clouds in shades of periwinkle and violet. The island itself is a paradise, a blend of fantasy and cyberpunk aesthetics. Lush trees blanket its ledges while waterfalls cascade from each ledge, frozen in time and resembling a beautiful digital glitch. It is meant to reflect the utopia we might achieve with our systems – our own islands – if we embraced the original meanings of the word security.

  1. From De Officiis passage 69 (nice): “Vacandum autem omni est animi perturbatione, cum cupiditate et metu, tum etiam aegritudine et voluptate nimia[64] et iracundia, ut tranquillitas animi et securitas adsit, quae affert cum constantiam, tum etiam dignitatem.” This translates roughly to: “But it is necessary to be freed from all disturbance of the mind, with desire and fear, and also from sickness and excessive pleasure and anger, so that there may be peace of mind and security, which brings with it constancy, as well as dignity.” ↩︎

  2. Schrimm-Heins, A. (1991). Gewissheit und Sicherheit: Geschichte und Bedeutungswandel der Begriffe certitudo und securitas (Teil I). Archiv für Begriffsgeschichte, 34, 123-213. ↩︎

  3. Of course, in SCE, we want to foster this sort of assurance through repeated experimentation – cultivating confidence through empirical evidence affirming or denying our hypotheses about the resilience of our systems. ↩︎

  4. Upon learning this, I immediately updated my brain dictionary lookup to display Security as a gorgeous transbian goddess whose favorite language, naturally, is Rust. I am hoping for a crossover episode in which our representative enby god, Loki, woos her by donning thigh highs made of the tendons of her enemies. ↩︎

  5. Levenson, E. (2014). The TSA Is in the Business of’Security Theater,’ Not Security. The Atlantic↩︎

  6. Quis custodiet ipsos custodes? ↩︎

  7. It was Pope Gregory I as hypeman for this interpretation and, yet again, the parallels between traditional infosec and the authoritarianism of the Catholic Church are… intriguing to say the least. ↩︎

  8. It’s been fun watching the industry catch up to me. ~6 - 7 years ago when I was dropping spicy takes about how bullshit “gotchya” security tests are (along with a bunch of other behavioral science-informed takes), I got a ton of pushback and usually vitrol. BuT ReAL aTTaCkErS dOn’T CaRe AbOuT fEeLinGs. Many of those same people now launder those takes and pretend like they were always on board. There’s probably a post in itself about the adoption cycle of hot takes where, at the beginning, people bristle because it’s new and bold and different but eventually it’s accepted enough that it’s worth changing your beliefs and evangelizing it to look “thought leadering.” Hopefully one day I’ll be similarly vindicated with my (still wildly unpopular) take that “DevSecOps” is an unnecessary and harmful term. ↩︎