IT Security: When Protection Becomes Prohibitive

In the business world, security is sold as a protective measure and discussed as an enabler of productivity. But what happens when security hinders work, slowly killing the business from within? How can an organization find the right balance and keep security from turning into a prohibitive frustration?

When business leaders consider information security, they think about protecting digital assets, preventing data breaches, stopping hackers, or whatever else happens to be in the headlines that day. For many, the solution is a simple one: buy some security equipment or software, place it in a rack, and you’re good to go. Unfortunately, this is a case of security being “bolted on”—a practice that makes many a security professional cringe.

Recently, a report highlighting the questionable nature of mobile security within the federal government gave a perfect example of how security can get in the way of things. An employee is quoted in the report as saying that, due to the multi-layered security on their agency-issued device, “it is sometimes easier to get work done by emailing it to my much faster personal device, which has less security.”

While troubling, this is a common practice for employees in both the public and private sector: Bring Your Own Device (BYOD) is all the rage these days, and vendors are quick to sell solutions addressing the concept to eager C-Level executives who follow the headlines. Yet these solutions are often cumbersome.

J. Wolfgang Goerlich, an information systems and security manager for a Michigan-based financial institution, suggested in an interview that complex password policies regularly drive employees to write passwords down—often in places easily found by a snooping thief.

When business workflows require a person to utilize multiple computers or applications, he added, and those systems prompt them multiple times with dialogues that are often ignored anyway—that’s another example of security being prohibitive.

Security turning from protective to prohibitive is more than overzealous firewall rules or Web-filters. When security starts getting in the way, the root cause can often be tracked to a breakdown of communication between the technology group and the business. When security is added for the sake of security, but not leveraged to add value to the business, the result is a highly secured set of devices and networks that no one can use.

“All our USB devices are locked down, so you only can run encrypted, company provided USB drives,” Goerlich explained.

That’s another potential flashpoint for security problems: an auditor visiting his office, for example, couldn’t use their own USB device due to restrictions imposed by Goerlich’s firm. Nor could the firm issue an encrypted USB device, because the auditor’s system wouldn’t be able to access it.

Moreover, the auditor was using the office’s secure Wi-Fi, so network file transfers weren’t an option; attempts at transfers via email wouldn’t work, nor would Cloud storage or Dropbox. Goerlich finally figured out a solution, but only after employees asked him for help.

“These things happen all the time, because we security people sometimes confuse protecting the technology with protecting the business,” he said.

Goerlich believes the number-one thing that IT teams can do to address how security prevents productivity is correct their attitude towards the employees, recognize employee value, and foster good relationships: “We [IT professionals] are not here to prevent some virus from being on some PC. We are here to ensure that the company can utilize the technology that we’re delivering to drive business value. And whenever those two objectives are in conflict, immediately we have to go towards driving business value.”

The entire development lifecycle—whether you’re putting in new systems or implementing new applications—should be a continuous conversation with the business, he added. Security is a process, not something added after the fact.

The Security Poverty Line

Javvad Malik, a Senior Analyst in the 451 Enterprise Security Practice, suggests that small companies ask whether it’s feasible to implement security at a level recommended by experts. In most cases, he said in a recent interview, the answer is no. Many small- to midsize organizations live below the security poverty line, without the expertise, money, or appetite to invest in security.

“It’s really this uncertainty and lack of clarity, and lack of real information that is the real reason why poor security decisions are made that aren’t really appropriate to that particular organization,” he said. “When those sorts of decisions are made, that’s when it becomes prohibitive, because it’s not inline with the organization’s way of working or actual risk appetite or working culture.”

When it comes to integrating security within the business, rather than on top of it, Mr. Malik recommended investing in legal counsel, or at least someone aware of the organization’s true responsibilities: “If they’re collecting customer data, what legal obligations do they have? If they have some cardholder data, or if they’re dealing in some regulated environment. Getting that sort of knowledge is where they probably lack the most, and if they build controls around that to satisfy those needs; they’ll be in a far better place.”

Adding security after the fact doesn’t help. Taking the legal-advice option means an organization can make an informed choice about their security needs and overall risk, added Malik. From there, the business can say to vendors: “This is our data, this is exactly what we want to protect it from, can you meet these guidelines and how much will it cost?”

Business leaders face an additional level of complexity when it comes to security. They have to purchase multiple licenses for products from multiple vendors most of the time, which requires that everything be managed. Yet networks with multiple products and vendors often run into the problem where “product A” doesn’t play well with “product B.”

To address this, organizations are often turning to vendors who can offer several layers of protection with a single license and management option. This not only keeps things simpler, but also helps prevent the various layers of security from interrupting workflows.

“In our business, because we’re focused on these really small guys, one of the things we’ve found that adds some value is, we’ve started to take all the technology we have and turned it into cloud-managed solutions,” explained Dan Nadir, the senior director of Product Management, SMB and at Symantec.

By unifying the management side of its endpoint protection line, Symantec was able to lower the entry bar for SMBs that need security, but lack the budget, staffing, and technology to operate on a flexible scale. All of the software is hosted; endpoints download agents, which are managed from a single location.

“Because we built it generally, we can add all of the different technologies that we have. So we’ve included backup, and we’re prototyping things like the PGP and DLP,” Nadir added. “Ultimately, it’s kind of nice, because I have one login, one place to go, one support line I can call. All the reporting looks the same, it works the same, and from an administration point of view, it really removes a lot of headaches.”

Because security is included as part of the business plan, it’s integrated into the organization’s culture and processes—it becomes truly protective, not prohibitive. When it comes to protection, the key is to understand the business.


Image: Sergey Nivens/