Maksim Kabakou - Fotolia
A culture where security is onerous and inhibitive is one that does not understand its information assets. Security is about far more than saying “no” or placing barriers to access or exploitation. In needlessly locking down assets, we can inadvertently create an environment that means users will go to great lengths to circumvent policy and process.
This is because we are preventing them from doing their jobs effectively, not because everything they do is a risk to our organisational security. Knowing the difference between effective information asset exploitation and genuine insider threat is vital if we are ever to escape the “security says no” culture, and create genuine resilience that people have bought into and support.
Adopting a culture of devolved asset accountability, with information asset owners in appropriate positions throughout an organisation, means the organisation is using risk properly and allowing the owners of information assets to risk assess how systems and assets are handled by the appropriate users – in an appropriate and proportionate way.
Start with risk assessing the application, asset or platform and think about the users. Who actually needs access to the asset, how and when? If we take the CIA model (confidentiality, integrity and availability) to hone the process further, then we can free users from overly onerous restrictions.
Generally, poor security is almost entirely focused on the confidentiality, which is why you have people trying to find ways around security to do their jobs.
Understanding who needs access or the availability of the piece means you have already controlled a great portion of access through eliminating it, and can then focus on risk assessing its usage by legitimate users who may have varying work practices.
For instance, the risks posed by a mobile worker will be different to the risk faced by an office-bound worker, and so the assessment will ensure those users are given an effective way of using the asset, not a disengaged and disabling way they will seek to avoid or circumvent.
Read more from Computer Weekly’s Security Think Tank about usability
It also means more agile work practices that could benefit a mobile worker will not be avoided as a default setting as you would find in a risk-averse culture. If there are organisational benefits to using certain platforms, tools or services, and the risk has been assessed for the pertinent individuals, only then can it be genuinely decided if the risk is too great to accept, or actually within risk appetite and tolerance.
What is required to enable the use of agile technologies and systems is not fear, but understanding and a firm grasp of the risk concept. Our people are both our greatest asset and weakness, and improper use of assets can sometimes be for benign or good intentions; people trying to be more efficient or fleet of foot.
By not considering how we can enable that by using good security and risk methodology, we are doing them a disservice, for these are the people who are engaged enough to try and do things better or quicker. Let’s help them, not hinder or sanction them.