Every organization has faced the dilemma of convenience over security and most have compromised on either one or the other. While the information security triad of integrity, confidentiality and availability has been regarded as the mantra of CSOs, convenience has constantly played an important role in both productivity and operations.
While the IT department’s mission is to make sure the entire infrastructure is up and running according to requirements and standards, security is sometimes not on its focus list. To this end, it’s up to security officers to devise a strategy for defining goals, identifying their mission statement (or reason for existence), and for setting security objectives that match their expected results.
Convenience and the Path of Least Resistance
Security policies often hammer user productivity, either by enforcing multiple authentication factors or by setting in place control methods that raise the usability barrier (sometimes even for non-critical systems).
This control matrix is usually a good way to beef up integrity and confidentiality, but it also pushes users towards finding new ways to circumvent them. Restrictive policies will enable the company to keep a tight lock on their assets, but users will always favor convenience over security.
One way of going about this is by communicating, upon hiring, the roles and responsibilities for all or individual employees and following up annually for continuous education on the security culture. Security should be the responsibility of everyone within the company, as it’s there to support the vision, mission and business objectives of the organization.
Strategic, tactical, and operational security planning must not only have metrics and goals, but should also include management and employees from all levels. Security policies that refer to senior management, regulatory, advisory and informative actions often lead to procedures that, while accomplishing security requirements and objectives, may end up reducing employee performance if not balanced properly.
It’s also vital for organizations to not only perform baseline benchmarks to ensure a minimum level of security, but also implement security mechanisms to enforce consistency across networks, applications and products. Both company-centric and government standards can address security risks, while used in conjunction with security best practices, guidelines and recommendations.
Security objectives should at all times be clearly defined and properly messaged across all company verticals to make sure everyone is accountable for their security-related actions.
If convenience should win over security, the implications could be devastating for organizations. They might lose even more than their customer data – they might lose their business. Today’s malware is extremely well versed not only in moving laterally across the IT infrastructure, but also in allowing attackers remote access into the organization.
At the other extreme, if security becomes too paranoid and too many control mechanisms are set in place, productivity and usability take a beating, potentially leading to other problems that impact company performance.
Finding the right balance between the two is no easy business, and security officers should carefully assess assets and budgets, aligning them to the company profile and business. There’s no universal recipe for successfully implementing paranoid security with full convenience, but the secret lies in assessing risks and knowing where your critical data is.