In analyzing the trade-off between security and productivity, it’s generally easy to measure the impact reduced security will have on productivity. It's much harder to assess the risks, and benefits of lowering those risks, at different levels of security.
The textbook answer is to look at the impact of different security threats, and then assess the probability of them occurring. Unfortunately, we are generally bad at assessing high-impact, hard to predict, and rare events, also known as Black Swans (not to be confused with the movie of the same name).
Indeed, as much as we analyze past events that make the press, like the recent breaches at RecruitIreland.com and WikiLeaks, there are very real and well-documented psychological biases that make people underestimate these events.
Those biases (for example, my company isn't at risk for a security breach) then distort the results of our trade-off analyses for privileged identity management, and whether or not to implement least privilege.
Because it’s hard to analyze the tradeoffs between security and productivity, IT organizations can fall back on gut feelings, rules of thumb and past practices in making these decisions.
For example, the most common rule of thumb is just to follow the rules and regulations so you remain in compliance with industry regulations or current policies. As a result, compliance becomes a substitute for security. But are they really equal? Does being in compliance mean you have a secure IT environment?
Now don’t get me wrong – staying in compliance is a good thing to do. The rigor that comes with staying in compliance is a necessary element of good security strategy and sets a minimum bar for administrators to write their policies. For example, UK data protection laws let employees know which key processes are important, while revealing to independent auditors those organisations that are not doing what they say they’ve done.
However, we should be aware that it doesn’t give us a false sense of security that we are doing everything we need too. Even when we a company is compliant, that doesn’t mean a workable balance between security and productivity has been achieved.
As Infosecurity magazine reported last year, nearly every data breach occurred within organisations certified as compliant within the previous year.
The solution may in fact lie in a willingness to reframe the problem of how to manage the trade off between security and productivity. Indeed, sometimes seemingly opposing things actually interact in complementary ways, revealing their interdependence.
So, can you implement security in ways that actually enhance productivity? I believe you can.
First, minimize the productivity impact of security by making it as transparent as possible to the end user. Ideally, they won’t have to use any extra commands, no pop ups, no extra screens to go through in order to operate securely. And if the action requested by the user is allowed, just let it happen.
The Windows User Access Control slider provides a great example. If you give users the option, they will turn down the security level to avoid having to respond to an extra prompt. In other words, if you are going to give them the authority to do certain actions after a prompt, why trouble them with the extra steps?
Whereas security stops people from doing things because of the risk of, for example, data loss, these same controls can also enforce best practice. In addition to controlling actions because of a security risk, we can stop people from doing things that they should not do because of the operational risk presented. And with proper controls we can do better than “Are you really sure you want to” pop-ups that most just click through anyway.
There is also great potential in using data on what people are doing to improve productivity.
Those detailed compliance logs are a gold mines of information. They can be used not just to look for patterns that indicate a security threat, but those same patterns can show where security and other procedures – such as improper configurations of new systems – are hurting productivity. Finding those patterns can help uncover opportunities to better train employees and simplify procedures as the basis of new best practice. Once those best practices are discovered, you can use the right controls to ensure they are being followed.
Once seen clearly, the trade off between productivity and security becomes more dynamic. People – employees, partners and third-party associates – get access to what they need to do their jobs, and no more. They are not given the keys to the kingdom in the form of root access for servers or administrator rights on the desktop, which opens the door for both accidental and intentional error, but neither do they have to raise their hand every time they want access to data or to use critical applications they need to do their jobs.
Like the three bears in Goldilocks, they are given neither too much, nor too little, but just enough to do their jobs well.
Geoff Haggat, president, leads all international aspects of BeyondTrust, including customer relations and support, business development, operations and international revenue growth. Before joining BeyondTrust, Haggart served as senior vice president of international sales at Websense, overseeing the growth of the company’s international business from $1.5 million in 1999 to $150 million annually.