Productivity vs. IT security — it is at the heart of the never-ending battle between business managers and IT security leaders.
On the one hand, product managers, marketing managers, factory managers, finance managers, and other business managers are tasked with executing a specific job. From their point of view, IT security is a secondary consideration that could impede their ability to discharge core duties.
They, therefore, invest as little time and effort as possible in the management of IT security risks. And it is only natural. Employees tend to disregard secondary activities that burden them with extra work but without a return commensurate with that of their primary activity.
On the other end of the spectrum, IT security managers see a singular fixation with growth and productivity as a disastrous approach. It could cost the business through security breaches, regulatory censure, and reputation loss.
Raw pursuit of productivity could have catastrophic results, and all the work that goes into it could unravel if an IT security risk materialized. However, an excessive emphasis on security controls could hamper employee productivity. The good thing is you can have the best of both worlds. Here are some of the ways how.
Compartmentalize IT security risk
Compartmentalizing IT security risk involves the implementation of several concepts. Most important: segmenting the organization’s network to isolate data breaches and malware infections. That way, a security incident will not necessarily spill onto other sections of the network.
Second, prohibit the sharing of administrator-level passwords between multiple users. Instead, each administrator should have their own password for accountability. Third, develop a baseline for network and user activity such that any deviations from the norm are more prominent.
Adopt a layered approach to security
Organizations should put in place multiple layers of security controls around their system and data resources. That way, a failure in one layer does not necessarily compromise data and system security.
Examples of these layers include encrypting, sandboxing, and data loss prevention (DLP) tools. With layered security, employees can better conduct their work without feeling hamstrung by IT security tasks.
Multifactor authentication (MFA) may make it harder for an attacker to break through the system. However, it inadvertently introduces barriers that could frustrate users. If staff have to go through MFA each time they need to access enterprise applications, this process will eventually affect their productivity and efficiency.
Instead, implement adaptive authentication policies. These would allow some MFA security checks to be bypassed depending on a user’s activity and risk profile. So, if a user had logged into the same device a few hours earlier, they can skip subsequent MFA steps which were already verified earlier.
Over-provisioning user access creates opportunities for unnecessary risks. When users can access a system or feature they do not need to, this is not just a threat to the organization’s data but could draw regulatory censure. The danger posed by insider threats is increased, and hackers can target users with elevated access privileges.
Under-provisioning may lead to frustration and diminished productivity that holds up critical business workflows. Under-provisioning would also trigger increased helpdesk requests, thus tying down IT resources that would otherwise be expended on more vital projects. Under-provisioning can increase the risk of credential sharing as employees scramble to get things done at all costs.
Both over-provisioning and under-provisioning can be minimized by automating the provisioning process around the user lifecycle from onboarding to departure. You can also reduce this risk by adopting a role-based approach where access privileges are assigned to a job function or job title instead of on a case-by-case basis.
Invest in automation
IT security threats are diverse and may use different attack points. Actually, a single threat could attack different enterprise touchpoints in different ways. For this reason, solely relying on employees and security procedures to protect enterprise systems and data may be foolhardy. This is where IT security automation can play a more effective role.
By understanding numerous potential attacks and touchpoints, automated IT security solutions are in a better position to create a robust defense against diverse and evolving threats.
Continuous IT security awareness
Small, otherwise insignificant intrusions often morph into a large-scale breach thanks to an organization’s inadequate knowledge to detecting and responding quickly. Such knowledge should not be the preserve of IT operations and IT security employees alone. Your IT security is likely to be more effective if you have employees on board.
Yes, employees tend to be the weakest link in an organization’s security. But by instituting continuing security training and awareness for all, you can make your staff a security asset instead.
Security training and awareness do not itself guarantee that all employees will do what is required when faced with an IT security risk. It can however also serve as a means of identifying the staff who perhaps need extra training or have to be governed by more granular security controls.
Conduct regular IT security reviews
Frequent reviews are an important tool in capturing and closing security gaps without causing significant disruption to product development and operational efficiency.
The reviews do not have to be at scale, enterprise-wide, or overly complex. Rather, keep them simple and easy to understand so they are not reduced to a routine that IT security managers rubber stamp to get it over and done with.
Instead, develop a review process that prioritizes the most sensitive and mission-critical systems and processes. With that, you can identify and close gaps proactively.
Businesses primarily exist to make a profit. It is only rational that they would invest most of their resources in speed, functionality, and efficiency. But in this drive for profitability, there must be space for IT security risk management.
All businesses will experience security failures, intrusions, weaknesses, and oversights at some point. In the largest organizations, these incidents occur multiple times a day. Without striking the right balance between the pursuit of the business’ profitability versus placing a lid on IT security risks, they are in danger of a full-on data breach that could disrupt operations, tarnish a reputation, and lead to financial loss.
It is crucial that organizations see IT security and controls as not an IT issue but an enterprise issue that requires the support of business executives, product managers, and the entire staff.
Featured image: Shutterstock