With all security policies and practices, there is naturally going to be some tradeoff between ease of use and safety. However, security measures can be counterproductive if they are too severe. Just as people will prop open a locked door when it meets their needs, users will find ways to circumvent security policies and procedures they perceive as too cumbersome or that prevent them from accessing the network resources they need. Just take a walk around the office and see how many employees keep a copy of their network password hidden underneath their keyboard.
It’s a simple fact that if people think network security is keeping them from doing their jobs, they will seek the services and access they need from a less secure source. They will install their own software, download shareware, buy a laptop connect card or an AirCard, and get on their smartphone or iPad and start doing business.
So how does an organization balance its security imperatives against user access needs in this era of distributed and open networked systems? Certainly, it is vital to have a comprehensive strategy in which a variety of measures — including firewalls, intrusion prevention, VPNs, VLANs, endpoint security, Web application security, and more — are synchronized to create a globally distributed defense. But technology is only part of the answer.
Most important — and more difficult to achieve — is the creation of comprehensive and understandable security policies developed in concert by the folks who run the network and the ones who have to use it. CIOs and IT administrators have to make a conscious effort to meet with their customers, internal and external, to find out what they need to do their jobs.
It isn’t easy. In fact, it can be a downright painful process. Users — IT’s customers —are usually not very technology-savvy. They know where to click and they know how to use the tools they need for their jobs, but they don’t understand what goes on behind the scenes. On the other hand, most network experts never really understand their customers’ jobs and what they need to work efficiently. The lack of communication and understanding between the two groups can lead to some hostility.
With two-way communication, IT can understand how network modifications can help customers do their jobs, and users can understand why certain limitations and restrictions are necessary to keep the network secure. Through the use of questionnaires and interviews, CIOs can gain insight into the organization’s culture and its ability to meet various security standards and requirements. IT must also share complex security principles in a simple manner. Policies that are overly technical and difficult to understand can actually be a barrier to effective security.
This two-way communication provides a crucial starting point in the development of an effective security policy that provides maximum security with minimum impact on user access and productivity. It isn’t a “one-and-done” process, however. Because organizations are constantly changing, security policies must be updated regularly to reflect new business directions, technology upgrades and resource allocations.
In the end, even the most comprehensive security policy is ineffective if users won’t support or comply with it. That’s why keeping IT and users plugged in to each other’s needs is the key factor in striking a balance between security and access.