Ice or square tires: Balancing security and productivity
- Posted on April 27, 2020
- Estimated reading time 3 minutes
This article was originally published on Forbes.com
Would you rather drive on ice or with square tires? Every day, those of us responsible for our companies’ security come up against a version of that crazy question.
As company leaders, our primary responsibility is to keep our people productive. That’s how we make the money that allows us to stay in business. At the same time, as security professionals, we have an overriding responsibility to keep our employees’, our company’s and our customers’ information and data secure.
Some version of this security-versus-productivity conundrum plays out in companies across the world. As CIO and CISO for a global company, I live this every day. I think of it as a balance of friction. Zero friction is bad. Try driving on ice. Too much friction is also bad. Try driving on square tires.
Similarly, too many of the wrong types of security requirements can impact users’ productivity. Too few results in an unacceptable level of risk. The challenge is to find the correct balance for your circumstances. You may be in a regulated industry. You may be dealing with certain types of information. Your IT model's maturity may be a factor.
Once we begin thinking of security versus productivity as a friction continuum, we can make decisions based on risk and business factors. For example, multifactor authentication is a basic security protocol that can be frustrating to some users. Perhaps they have to carry a token, or every time they want to access something, they first have to get a code on their phone. But if we turn the system off, we leave ourselves vulnerable to hackers.
To find a balance between these two competing forces, we can look to additional factors to find the correct amount of friction.
As I write this, I am on a corporate machine, one that our Azure AD system trusts. If I am accessing a corporate system from my corporate machine, then my machine acts as a second factor, and I don’t receive a prompt. On the other hand, if I am at an aunt’s home for Thanksgiving dinner and jump on her machine to answer a quick email, then I get prompted for a second authentication factor, and that makes sense.
However, you also can create additional categories for your company's security. If an employee is at a relative’s house using their PC, then you can limit their ability to access or download content. If an employee is on a fully managed device, they have access to everything they need to do their job. If the cloud telemetry tools detect that an employee's account is being targeted, they will get additional prompts while they are under that higher risk umbrella.
By taking into account everything happening in our ecosystem, we can establish the correct amount of friction for each circumstance. We don’t want so fine a trigger that everyone gets prompts, but we can go “shields up” for certain accounts if they are under attack.
Of course, it takes time to find the appropriate level of friction. At my company, we turn to a test group of diverse users in different roles and different countries who have volunteered to help us. They get new software first. They also test out new security tools, and they give us feedback on how they impact their work. In some cases, we have had to pull back a bit because we found that a new solution caused more friction than value. By measuring the amount of friction versus value, business leaders will have a clear idea of how security procedures will impact the business.
As you begin to dig into this issue of security versus productivity, consider the following tips that I have found helpful:
- Choose vendors and partners who understand this balance. Look for productivity vendors familiar with corporate enterprise security requirements and vice versa.
- Consider your overall ecosystem. Sometimes the overall strength of a coordinated, integrated business system outweighs a disparate collection of best-of-breed stand-alone solutions.
- Build joint strategies for the enablement of technology and security. From the very beginning, develop and deploy enablement tools in close coordination with your security organization.
- Make education and awareness campaigns a top priority. The best security systems are even stronger when they are supported by users who understand them and respect why they are necessary. Rather than occasional one-hour security training, consider moving to an ongoing awareness campaign that keeps security top of mind. For example, our teams create bite-sized, entertaining segments to remind our global employees that security is everyone’s business.
By looking at the full continuum between security and productivity, you don’t have to drive on square tires at all, and you sure don’t have to skid on ice. You can create strong security systems that keep your people and data safe while making it possible for everyone in your organization to do their best work. The extra effort it takes to find that correct amount of friction is well worth it.