IT Security: When Protection Becomes Prohibitive
In the business world, security is sold as a protective measure and discussed as an enabler of productivity. But what happens when security hinders work, slowly killing the business from within? How can an organization find the right balance and keep security from turning into a prohibitive frustration? When business leaders consider information security, they think about protecting digital assets, preventing data breaches, stopping hackers, or whatever else happens to be in the headlines that day. For many, the solution is a simple one: buy some security equipment or software, place it in a rack, and you’re good to go. Unfortunately, this is a case of security being “bolted on”—a practice that makes many a security professional cringe. Recently, a report highlighting the questionable nature of mobile security within the federal government gave a perfect example of how security can get in the way of things. An employee is quoted in the report as saying that, due to the multi-layered security on their agency-issued device, “it is sometimes easier to get work done by emailing it to my much faster personal device, which has less security.” While troubling, this is a common practice for employees in both the public and private sector: Bring Your Own Device (BYOD) is all the rage these days, and vendors are quick to sell solutions addressing the concept to eager C-Level executives who follow the headlines. Yet these solutions are often cumbersome. J. Wolfgang Goerlich, an information systems and security manager for a Michigan-based financial institution, suggested in an interview that complex password policies regularly drive employees to write passwords down—often in places easily found by a snooping thief. When business workflows require a person to utilize multiple computers or applications, he added, and those systems prompt them multiple times with dialogues that are often ignored anyway—that’s another example of security being prohibitive. Security turning from protective to prohibitive is more than overzealous firewall rules or Web-filters. When security starts getting in the way, the root cause can often be tracked to a breakdown of communication between the technology group and the business. When security is added for the sake of security, but not leveraged to add value to the business, the result is a highly secured set of devices and networks that no one can use. “All our USB devices are locked down, so you only can run encrypted, company provided USB drives,” Goerlich explained. That’s another potential flashpoint for security problems: an auditor visiting his office, for example, couldn’t use their own USB device due to restrictions imposed by Goerlich’s firm. Nor could the firm issue an encrypted USB device, because the auditor’s system wouldn’t be able to access it. Moreover, the auditor was using the office’s secure Wi-Fi, so network file transfers weren’t an option; attempts at transfers via email wouldn’t work, nor would Cloud storage or Dropbox. Goerlich finally figured out a solution, but only after employees asked him for help. “These things happen all the time, because we security people sometimes confuse protecting the technology with protecting the business,” he said. Goerlich believes the number-one thing that IT teams can do to address how security prevents productivity is correct their attitude towards the employees, recognize employee value, and foster good relationships: “We [IT professionals] are not here to prevent some virus from being on some PC. We are here to ensure that the company can utilize the technology that we’re delivering to drive business value. And whenever those two objectives are in conflict, immediately we have to go towards driving business value.” The entire development lifecycle—whether you’re putting in new systems or implementing new applications—should be a continuous conversation with the business, he added. Security is a process, not something added after the fact.