How Identity Controls and Calibrated Security Friction Help Businesses Reduce Cyber Risk

Security now lives inside the daily rhythm of business, and identity sits at the center of it. Every login, approval, and system access introduces a small moment of friction, and the way organizations design identity controls determines whether work moves forward or grinds to a halt. As operations stretch across cloud platforms, SaaS tools, and distributed devices, digital resilience depends on calibrating security so it protects the business without slowing it down.

Joshua Copeland, Director of Cybersecurity at the strategic security consultancy Crescendo, Adjunct Professor at Tulane University’s School of Professional Advancement, and Deputy Commander for the Cyber Reserve in the Louisiana State Guard, has spent years helping organizations rethink how security fits into the business. Across corporate and government environments, his work focuses on moving beyond traditional perimeter defense toward risk management that aligns with how companies actually operate. That perspective becomes especially important as identity emerges as the central control point in cloud-first environments.

"In 2026, identity is the new master control plane. If you get identity right with strong verification and phishing-resistant MFA, things like phishing, vishing, and quishing become far less disastrous," Copeland says. Organizations operate in decentralized, cloud-first environments, where network location no longer guarantees trust. Identity is emerging as the single most reliable constant across systems.

• Calibrated mechanic: "Friction is key for motion. If you have too much friction, the tire doesn’t go anywhere. If you have too little, the tire spins in place. You have to find the right amount of friction that allows the tire to move forward. Cybersecurity functions a lot of the same way," Copeland explains. The goal is not to eliminate friction but to calibrate it, designing controls that support how people actually work while still reducing risk. When security aligns with operational realities, protection becomes part of the system’s movement rather than a force that slows it down.

• Circumvention dilemma: "Requiring re-authentication for every financial transaction can create thousands of dollars in lost productivity when analysts handle multiple transactions a minute. Every half hour is enough to prove identity without slowing operations," he notes. “When Exchange blocked certain file types, people just renamed them or used Gmail. You have to balance security without encouraging workarounds."

When security blocks tools outright, employees often find ways around the restriction. Creating controlled environments for experimenting with AI tools that do not retain sensitive data allows organizations to guide adoption instead of driving it underground.

• Department of no: "Anybody with a credit card is their own IT department now. Twenty years ago, you had to go through IT, but now anyone can buy a SaaS product. Finance may notice multiple ChatGPT charges, but IT isn't stopping them. Security needs to start saying yes, employees can use ChatGPT, but only the company-paid version with controls and created pathways that let them work safely and responsibly," says Copeland. This lets teams innovate safely without creating chaos.

• Hands up in the air: "It’s not just your third-party or fourth-party risk, it’s their third- and fourth-party risk. You have to understand where your systems lie and plan how the business will continue if something breaks. If email goes down, a manufacturing firm can keep producing, but a pure sales organization might stop. Knowing this lets you build redundancy and isolate key pieces so operations can continue," he says. That perspective shifts security planning beyond prevention toward continuity, mapping dependencies across systems, partners, and workflows so the business can keep operating even when disruptions occur.

Cybersecurity leadership is about understanding the business you need to protect, and ensuring that every control, from identity verification to workflow friction, supports productivity while mitigating threats. Risk management becomes a proactive enabler when leaders master this balance. "Without the business, the cybersecurity piece doesn’t exist. While you might argue the business wouldn’t exist without security, there has to be a business to secure in the first place. It’s absolutely on us to understand how we help that business do its business," Copeland concludes.