Executive Priorities – Balancing Security and Usability

By Rafal Los ·

One of the most difficult things security leaders do every day is balancing the scales between keeping their organization’s critical assets safe and empowering its users to be productive.

I would estimate that more CISOs have been relieved of duties for failing to strike the right balance than have been fired as a result of a breach. This only underscores the importance of the tired phrase “align to the business,” which still strikes discussion even today among security professionals.

When it comes to prioritizing the two things a CISO must do well, to me there is no question the clear winner is business alignment. The right amount of security is critical and should be the first thing a CISO thinks about as they go to work every day. I like to ask “How secure is secure enough?” It’s interesting to hear some of the answers.

Many security programs push security controls and policies past the point where it becomes difficult for their stakeholders – their customers – to be productive or to perform their duties.

In these instances security risks being a disabling force and developing an adversarial relationship with the business it supports, which I believe is detrimental to security in the long run.

The problem many of my security leader colleagues face is the difficulty in finding that tipping point where adding more security controls starts to have a diminishing return. Perhaps the ugliest example of this is security at the endpoint.

If you do endpoint security well at all, you likely have at least 3-4 security “agents” loaded on the endpoint. We started out loading anti-virus on the endpoint many years ago. Next, we  added either a personal firewall tool or beefed up the endpoint agent to roll that feature in.

Soon after, we supplemented with endpoint encryption—which of course came with an agent—and eDiscovery or forensics and remediation tools, and DLP-style critical asset management.

This isn’t even counting some of the organization-specific tools that get loaded to integrate the various types of applications. At some point you find yourself with a support nightmare.

Once we’ve loaded the endpoints down, our users start to complain that their systems have slowed down and are barely usable – but we push on in the name of security. The relationship becomes adversarial as our stakeholders struggle to accomplish the things that are part of their job description while fighting through all the security tools.

No one should ever have to fight against a set of security tools to accomplish their job. Ever.

It’s like this in the cloud security space as well. Organizations that have a blanket “no cloud” policy are fooling themselves – luckily there aren’t many of those left. Their employees want to collaborate, move information efficiently, and just get work done.

If you figure out a way to prevent them from being able to use Box, Dropbox, Google Drive, One Drive and the other major tools, they’ll find another one you’ve never heard about, or mail an unencrypted USB drive using FedEx. It’ll happen, if it hasn’t already.

The obvious thing to do is figure out where protecting turns to inhibiting. I think this is such a challenge to security-minded professionals because for years we’ve had it drilled into our heads that nothing bad can happen.

As we’re coming to learn, this is impossible because bad things happen in spite of Herculean efforts in nearly every organization. So, there’s a formula I’ve seen be used successfully I’ll share:

  • High-value assets – These assets are what the business feels are most important from a legal, compliance, and business perspective
  • Business requirements –These are the things the organization is trying to accomplish
  • Security strategy – Now that you understand your business’ goals and have identified the high-value assets, you can design a strategy that meets business requirements, while adding a reasonable level of security
  • Validation – Once you think you’ve got it right, test it against your most demanding users. You’ll either validate your approach or figure out where to fine-tune the strategy
  • Revisit – Just because the strategy is perfectly balanced today, does not mean the business or technology won’t change tomorrow. You must always revisit this cycle to make sure security balances with usability and empowerment

The most critical piece of this five-part approach is validation. No matter how well you think you’ve done walking that line, often times it takes a group of your stakeholders to confirm your approach. Also, remember no one is asking you to give up good security just because the end user wants it to be simple.

You’re there to make sure you apply the right amount of security to the organization to lower risks to an acceptable level. It’s very difficult if not impossible for you alone to decide what acceptable means; you need the business to validate.

A very wise CIO once told a very naïve me – “Remember, without security the business still most likely can survive. Without the business, security is unemployed.”

As published in DarkMatters