Tug-of-War: Balancing Security and Efficiency
I find it helpful when explaining principles to think in extremes. So, when it comes to the principle of securing a system, what is the most secure? Let us use this computer I am typing on as an example. Off. That is the most secure. Let us even take the battery out, unplug everything from it and, for good measure, stick it in a Faraday cage. I guarantee nobody is going to get into that computer, not even me.
This is the struggle that comes with being a security professional in a business environment. We need to protect the data that has been entrusted to us but we also need to ensure business can be conducted and conducted well. In an ever-evolving technical world, there is a constant need to add controls, technologies, and processes around the data and those who access it. The security team can often be seen as the department of “No” as in “No, you can’t have that access” or “No, an exception to the rules cannot be made for you.” Even worse however, is when the security team is seen as those people that are constantly making your life harder. This comes along with the introduction of new processes and requirements that slow things down and add additional work to everyone’s day.
This is why it is incredibly important for today’s security professionals to also include the thought, “How can I make people’s lives easier?” when making decisions. Despite what you may think at first, this does not mean reducing security. There are a number of reasons why.
Security Culture
The greatest security risk to any organization is its employees. Social engineering, insider threats, and human error account for most breaches that occur today. Combating these things begins with having a healthy security culture. If your employees do not understand and appreciate why things are done the way they are, you are not going to get anywhere. This is why it is important when implementing security controls that you do not sacrifice efficiency and convenience for security. If every control you put in place makes people’s work more difficult, it will become increasingly harder to implement them as you lose the required support. Even worse, it will encourage your employees to find ways around them.
Win-Win Solutions
Always be on the lookout for those golden opportunities to implement technology that can simultaneously improve security while making people’s lives easier. It is a rare and wonderful moment when employees say thank you for implementing security controls. Here are some examples:
- Single Sign-On – Wherever possible, enable SSO. Having one strong authentication (ideally with MFA) that can then be carried over into multiple applications allows for both strong authentication and quick and easy access into the systems people need to use. Combine single sign-on with passwordless access, and I promise you your staff will be grateful.
- Password Managers – Your security policy states that everyone has a strong and unique password for every system. Sure they do. Password managers allow your employees to securely store their passwords for all the applications and sites they use. Plus, with auto-generated secure passwords and auto-fill capabilities, they do not even need to know what their password is, let alone try to remember it.
- MAM / MDM – The entire point of mobile access is convenience. However, there are obviously a lot of security risks involved in allowing your employees to access sensitive data from anywhere. Fortunately, there are a lot of options for how to do this now. Is Mobile Application Management enough or do you need full blown Mobile Device Management? The most important thing is that you find the solution that is most tailored to the kind of business your employees are doing and find the best balance of security and convenience. Do not turn their phone into an expensive brick, but do not lose control of your data either.
- Security Training – Bear with me here. I know most people cannot imagine being thanked for this, but teaching security goes beyond just mandatory training and testing. Throughout the year, sprinkle in events, articles, and even games with prizes. People love the opportunity to take a break from work and do something fun. If you can get them to learn something along the way, you have already increased your security posture.
The modern security professional cannot have a one-track mind. To succeed in any business and to keep your business secure, you will have to learn to balance the need for security with the need to keep your business efficient and productive in a competitive world. This means learning to collaborate with other business units, finding the win-win solutions, and picking your battles. When you are searching for a new security solution, be on the lookout for the useful features that people enjoy, not just the security. Eventually you can stop being the department of “No” and start being a leader that your team is happy to have along for the ride.
Compass IT Compliance assists organizations across the nation in bridging the gap between security and efficiency. Our Cybersecurity Practitioners are experts in mitigating risks with the business' operational productivity and culture in mind. Contact us today to discuss your unique IT security and compliance challenges!
Contact Us
Share this
You May Also Like
These Related Stories
No Comments Yet
Let us know what you think