How do you handle a situation where a security control is effective but slows development too much at SAS?