Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Balancing Information Security and Usability | Optiv
One of the most difficult things security leaders do every day is balancing the scales between keeping their organization’s critical assets safe and empowering its users to be productive.
I would estimate that more CISOs have been relieved of duties for failing to strike the right balance than have been fired as a result of a breach. This only underscores the importance of the tired phrase “align to the business,” which still strikes discussion even today among security professionals.
When it comes to prioritizing the two things a CISO must do well, to me there is no question the clear winner is business alignment. The right amount of security is critical and should be the first thing a CISO thinks about as they go to work every day. I like to ask “How secure is secure enough?” It’s interesting to hear some of the answers.
Many security programs push security controls and policies past the point where it becomes difficult for their stakeholders – their customers – to be productive or to perform their duties.
In these instances security risks being a disabling force and developing an adversarial relationship with the business it supports, which I believe is detrimental to security in the long run.
The problem many of my security leader colleagues face is the difficulty in finding that tipping point where adding more security controls starts to have a diminishing return. Perhaps the ugliest example of this is security at the endpoint.
If you do endpoint security well at all, you likely have at least 3-4 security “agents” loaded on the endpoint. We started out loading anti-virus on the endpoint many years ago. Next, we added either a personal firewall tool or beefed up the endpoint agent to roll that feature in.
Soon after, we supplemented with endpoint encryption—which of course came with an agent—and eDiscovery or forensics and remediation tools, and DLP-style critical asset management.
This isn’t even counting some of the organization-specific tools that get loaded to integrate the various types of applications. At some point you find yourself with a support nightmare.
Once we’ve loaded the endpoints down, our users start to complain that their systems have slowed down and are barely usable – but we push on in the name of security. The relationship becomes adversarial as our stakeholders struggle to accomplish the things that are part of their job description while fighting through all the security tools.
No one should ever have to fight against a set of security tools to accomplish their job. Ever.
It’s like this in the cloud security space as well. Organizations that have a blanket “no cloud” policy are fooling themselves – luckily there aren’t many of those left. Their employees want to collaborate, move information efficiently, and just get work done.
If you figure out a way to prevent them from being able to use Box, Dropbox, Google Drive, One Drive and the other major tools, they’ll find another one you’ve never heard about, or mail an unencrypted USB drive using FedEx. It’ll happen, if it hasn’t already.
The obvious thing to do is figure out where protecting turns to inhibiting. I think this is such a challenge to security-minded professionals because for years we’ve had it drilled into our heads that nothing bad can happen.
As we’re coming to learn, this is impossible because bad things happen in spite of Herculean efforts in nearly every organization. So, there’s a formula I’ve seen be used successfully I’ll share:
The most critical piece of this five-part approach is validation. No matter how well you think you’ve done walking that line, often times it takes a group of your stakeholders to confirm your approach. Also, remember no one is asking you to give up good security just because the end user wants it to be simple.
You’re there to make sure you apply the right amount of security to the organization to lower risks to an acceptable level. It’s very difficult if not impossible for you alone to decide what acceptable means; you need the business to validate.
A very wise CIO once told a very naïve me – “Remember, without security the business still most likely can survive. Without the business, security is unemployed.”
As published in DarkMatters
September 20, 2017
Many CISO's and security teams are struggling with developing and executing an effective cloud security strategy, especially one that can keep up with....
Let us know what you need, and we will have an Optiv professional contact you shortly.