The results of the 2014 Protiviti IT Security and Privacy Survey reports that:
• 77% of organizations have a password policy or standard.
• 67% of organizations have an information security policy.
• 59% of organizations have a workstation/laptop security policy.
• 59% of organizations have a user (privileged) access policy.
Based on these statistics, the enterprise organization has plenty of IT and information security policies in place, and yet, data breaches are on the rise, doubling from December of 2014 to August of 2015. Given these statistics, it seems unlikely that enterprise security policies are, in fact, keeping enterprise organizations safe.
Human users are touted as the weakest link in an information security system. Historically, IT has taken a top down approach that forced users to work within the confines of a system that didn’t take user productivity into consideration. IT and security professionals focused on creating limits to protect the network from the user, throwing up barriers in the name of network security. This impacted user productivity but was accepted as collateral damage in the fight to keep the enterprise network safe. Users were left to choose between upholding security protocols and personal productivity.
Given the choice between job security and network security, most users will choose productivity and hope for the best when it comes to protecting the network. Christian Anschuetz on the Wall Street Journal blog, CIO Journal, agrees. “Forced to choose between disruptive, apparently irrational, and easily circumvented security directives and getting their job done, employees invariably choose to be productive,” states Anschuetz.
While maintaining enterprise security will always be the number one priority of information security professionals everywhere, the modern information security professional recognizes that times are changing. Network security at the expense of user productivity is counterproductive. When threatened with limitations to productivity, users have proven that they will find ways around IT and information security initiatives through shadow IT.
Progressive, security-focused organizations must consider their users when they create security policies. Backing into security policies and initiatives based on user needs allows enterprise organizations to simultaneously meet security and user-productivity demands. Rather than forcing users to work outside of their usual workflows, modern information security secures the enterprise where and how its users prefer to work, eliminating unsanctioned workarounds and shadow IT solutions. The result is greater enterprise security and happier end users.
By Rachel Holdgrafer, Content Business Strategist, Code42
[Cloud Security Alliance Blog]