Maksim Kabakou - Fotolia
As with any form of segregation, the challenge is usually one of a reduction in communication capability. Often in the IT world, segregation is taken literally and we find hard barriers being placed between the segregated networks or data repositories. This inevitably introduces frustrations, reduces efficiencies and, in some cases, forces users into unsafe workarounds – so actually introducing more risk to the situation, instead of reducing it.
In too many cases, I feel this is largely because too many people in IT don’t spend enough time outside their technical domain and in the business itself. If they did, they would have a much better grasp of how users actually need to work, and would place their needs, along with an understanding of the business risk appetite, at the heart of their security and segregation strategies.
Creating segregation in a user-centric and business-supportive manner can deliver huge benefit. It allows us to ringfence highly sensitive information assets with appropriate levels of increased security and access control, while allowing far better access to less sensitive information assets. This can lead to greater efficiencies, lower costs and can make users more productive – with the added benefit of improving relationships between IT, risk, security and the rest of the business.
Segregation doesn’t have to resemble a difficult divorce, but it is more about intelligently compartmentalising elements of our work in a way that improves security, without unnecessarily restricting the business or reducing user capability. This takes time and good planning. It also requires a full and complete understanding of organisational information assets and risk appetite. That is the only way to avoid an onerous and clumsy lockdown.
IT people need to understand you cannot completely remove risk; you can only balance risk with business objectives. This means that by using the tool of proportionality, you can build a segregation strategy that is fit for purpose, not only from a security point of view, but also from the users’ point of view.
A good example of a less optimal approach might be the Police National Database, a national intelligence database made unusable by an application of global security controls, when the vast majority of the information came off police networks to start with. The problem manifests itself in this instance with police officers not being prepared to use the database because of a security policy that has a disproportionate response to small levels of sensitive information and an approach to segregation that makes it almost impossible to use.
When IT, data management, the business and the users are all involved in the development and implementation of a security strategy, one that includes effective and proportionate segregation, then everyone benefits. This is not a pipe-dream. It is eminently possible if stakeholders only put their personal egos to one side for the betterment of the organisation.