The best way to balance business access with security risk and compliance is to be realistic about each of them.
When judging access needs and regulations you must comply with, start from what is the minimum required.
Work with the business to develop a view of where you are and where you would like to get to, and then develop a process for reaching that goal.
Try to avoid “big bang” approaches. Rather, work with an understanding of the maturity of your support organisation and define a phased approach that is realistic, achievable and minimises disruption.
We in information security are always being told that we need to do a better job of understanding the business.
What this usually means is that we must understand how to avoid disruptive change or mandated processes where few understand their value. This does mean we need to do a better job of understanding our company; its strengths, culture, even its quirky habits.
Herein lies the context that helps us understand the balance that needs to be set for any element of our security programme and defences.
When looking at the question of network access the prevailing trend is to find ways of making networks more open. So many new technologies today have companies changing the way they do things, and while the drivers will not be security and compliance; both will be a core element of success.
Our job is to ensure everyone involved understands this and thereby embraces the security, as well as the business enablers. This is where the context counts.
The process of defining the right target balance therefore must involve both the business stakeholders and their user community. I am not suggesting you should be driven by user concerns, but you should work with them to develop a mutual understanding of the objectives and the value of what needs to be done to get there.
Avoid diktats. Sell compliance internally to users and make it easy for them to comply and understand the value of doing so.
Ask for business support. Aim for a program lasting two-three years, and set yourself modest compliance goals at first and then increasingly harder ones. Make sure you allow ample time for testing, celebrate successes and be honest about failures. Analyse both openly and involve as many constituents as is feasible.
Finally remember that this is not about the technology change: it is about changing the way people work. People need time to adjust.
Continuous service and compliance improvement is the name of the game. Focus on developing confidence first by looking for small benefits designed to help people embrace the new processes— not fall behind on their current workload— and increase productivity right away.
Not only does this allow the company to move forward in a sustainable way but it also increases the ability to develop that mutually understood context as you go.
Ionut Ionescu is a member of the (ISC)2 EMEA Advisory Board