I find it helpful when explaining principles to think in extremes. So, when it comes to the principle of securing a system, what is the most secure? Let us use this computer I am typing on as an example. Off. That is the most secure. Let us even take the battery out, unplug everything from it and, for good measure, stick it in a Faraday cage. I guarantee nobody is going to get into that computer, not even me.
This is the struggle that comes with being a security professional in a business environment. We need to protect the data that has been entrusted to us but we also need to ensure business can be conducted and conducted well. In an ever-evolving technical world, there is a constant need to add controls, technologies, and processes around the data and those who access it. The security team can often be seen as the department of “No” as in “No, you can’t have that access” or “No, an exception to the rules cannot be made for you.” Even worse however, is when the security team is seen as those people that are constantly making your life harder. This comes along with the introduction of new processes and requirements that slow things down and add additional work to everyone’s day.
This is why it is incredibly important for today’s security professionals to also include the thought, “How can I make people’s lives easier?” when making decisions. Despite what you may think at first, this does not mean reducing security. There are a number of reasons why.
The greatest security risk to any organization is its employees. Social engineering, insider threats, and human error account for most breaches that occur today. Combating these things begins with having a healthy security culture. If your employees do not understand and appreciate why things are done the way they are, you are not going to get anywhere. This is why it is important when implementing security controls that you do not sacrifice efficiency and convenience for security. If every control you put in place makes people’s work more difficult, it will become increasingly harder to implement them as you lose the required support. Even worse, it will encourage your employees to find ways around them.
Always be on the lookout for those golden opportunities to implement technology that can simultaneously improve security while making people’s lives easier. It is a rare and wonderful moment when employees say thank you for implementing security controls. Here are some examples:
The modern security professional cannot have a one-track mind. To succeed in any business and to keep your business secure, you will have to learn to balance the need for security with the need to keep your business efficient and productive in a competitive world. This means learning to collaborate with other business units, finding the win-win solutions, and picking your battles. When you are searching for a new security solution, be on the lookout for the useful features that people enjoy, not just the security. Eventually you can stop being the department of “No” and start being a leader that your team is happy to have along for the ride.
Compass IT Compliance assists organizations across the nation in bridging the gap between security and efficiency. Our Cybersecurity Practitioners are experts in mitigating risks with the business' operational productivity and culture in mind. Contact us today to discuss your unique IT security and compliance challenges!