Skip to main content

Balancing Information Security and Usability | Optiv

March 19, 2015

One of the most difficult things security leaders do every day is balancing the scales between keeping their organization’s critical assets safe and empowering its users to be productive.

I would estimate that more CISOs have been relieved of duties for failing to strike the right balance than have been fired as a result of a breach. This only underscores the importance of the tired phrase “align to the business,” which still strikes discussion even today among security professionals.

When it comes to prioritizing the two things a CISO must do well, to me there is no question the clear winner is business alignment. The right amount of security is critical and should be the first thing a CISO thinks about as they go to work every day. I like to ask “How secure is secure enough?” It’s interesting to hear some of the answers.

Many security programs push security controls and policies past the point where it becomes difficult for their stakeholders – their customers – to be productive or to perform their duties.

In these instances security risks being a disabling force and developing an adversarial relationship with the business it supports, which I believe is detrimental to security in the long run.

The problem many of my security leader colleagues face is the difficulty in finding that tipping point where adding more security controls starts to have a diminishing return. Perhaps the ugliest example of this is security at the endpoint.

If you do endpoint security well at all, you likely have at least 3-4 security “agents” loaded on the endpoint. We started out loading anti-virus on the endpoint many years ago. Next, we  added either a personal firewall tool or beefed up the endpoint agent to roll that feature in.

Soon after, we supplemented with endpoint encryption—which of course came with an agent—and eDiscovery or forensics and remediation tools, and DLP-style critical asset management.

This isn’t even counting some of the organization-specific tools that get loaded to integrate the various types of applications. At some point you find yourself with a support nightmare.

Once we’ve loaded the endpoints down, our users start to complain that their systems have slowed down and are barely usable – but we push on in the name of security. The relationship becomes adversarial as our stakeholders struggle to accomplish the things that are part of their job description while fighting through all the security tools.

No one should ever have to fight against a set of security tools to accomplish their job. Ever.

It’s like this in the cloud security space as well. Organizations that have a blanket “no cloud” policy are fooling themselves – luckily there aren’t many of those left. Their employees want to collaborate, move information efficiently, and just get work done.

If you figure out a way to prevent them from being able to use Box, Dropbox, Google Drive, One Drive and the other major tools, they’ll find another one you’ve never heard about, or mail an unencrypted USB drive using FedEx. It’ll happen, if it hasn’t already.

The obvious thing to do is figure out where protecting turns to inhibiting. I think this is such a challenge to security-minded professionals because for years we’ve had it drilled into our heads that nothing bad can happen.

As we’re coming to learn, this is impossible because bad things happen in spite of Herculean efforts in nearly every organization. So, there’s a formula I’ve seen be used successfully I’ll share:

  • High-value assets – These assets are what the business feels are most important from a legal, compliance, and business perspective
  • Business requirements –These are the things the organization is trying to accomplish
  • Security strategy – Now that you understand your business’ goals and have identified the high-value assets, you can design a strategy that meets business requirements, while adding a reasonable level of security
  • Validation – Once you think you’ve got it right, test it against your most demanding users. You’ll either validate your approach or figure out where to fine-tune the strategy
  • Revisit – Just because the strategy is perfectly balanced today, does not mean the business or technology won’t change tomorrow. You must always revisit this cycle to make sure security balances with usability and empowerment

The most critical piece of this five-part approach is validation. No matter how well you think you’ve done walking that line, often times it takes a group of your stakeholders to confirm your approach. Also, remember no one is asking you to give up good security just because the end user wants it to be simple.

You’re there to make sure you apply the right amount of security to the organization to lower risks to an acceptable level. It’s very difficult if not impossible for you alone to decide what acceptable means; you need the business to validate.

A very wise CIO once told a very naïve me – “Remember, without security the business still most likely can survive. Without the business, security is unemployed.”

As published in DarkMatters

Related Blogs

May 04, 2016

The First Two Steps – Operationalizing Enterprise Threat Intelligence, Really

Threat intelligence, about three years after it became the talk of RSA Conference, is still a hot topic for the enterprise. Rightfully so, as it’s a p...

See Details

February 26, 2018

The GDPR 90-Day Countdown is on! (No Need to Freak Out)

May 25, 2018 is a day that many organizations have (or should have) marked on their calendars as a game-changing moment for their business. That’s the...

See Details

February 28, 2018

Part 1: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

During hundreds of strategy, risk and compliance engagements, Optiv’s consultants often have been asked very thoughtful and deep questions about contr...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

December 10, 2014

Building an Information Security Program from Scratch | Optiv

The unfortunate reality of today’s business world is that information security breaches are an everyday occurrence. A quote that is thrown around in t...

See Details

July 21, 2015

Security Program Strategy Service Guide

Learn how we implement new strategies to plan, build and run effective security programs.

See Details

September 21, 2017

Six Key Alignments for CISO's on Cloud Security

Many CISO's and security teams are struggling with developing and executing an effective cloud security strategy, especially one that can keep up with...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.