One of the paradoxes of the digital age is that digital technologies enable employees to be more productive and innovative in their jobs – but the security measures required for digital can actually make it harder for staff to maximize the benefits of going digital in the first place.
The solution will vary from one enterprise to the next for a variety of reasons, both internal and external. But the most workable solutions tend to find the best possible balance that not only suits the culture and the business environment, but applies it at all levels of the company.
This was the general conclusion during a panel session on the topic of ‘security vs experience’ at Jicara Media’s inaugural Frontiers Of Work conference, which kicked off with a popular quote from Bounce Security CEO and founder Avi Douglen: “Security at the expense of usability comes at the expense of security.”
Put another way: if your security policy makes your employee’s job harder, the employee will find workarounds that will make your security worse.
James Zhang, VP of global information security at Bank of America, said that while the quote rings true, he sees the security vs usability issue not as a dichotomy but as a continuum in which managers are balancing and prioritizing competing factors at odds with each other.
“Ideally, we want everyone to trust that they can use whatever assets they need to the best of their abilities for the benefit of the firm,” Zhang said. “But sometimes that may not be the case. And sometimes [affecting usability] could be inadvertent as well, which is why we always have to be cautious about the type of controls and things that we put in.”
Zhang added that the balancing act becomes further complicated because security policies in many industries are typically dictated by government regulations. “The banking industry operates in a highly regulated environment, and regulatory stipulations are rarely concerned with how you increase your productivity – they’re focused on telling you how you increase your security.”
Siang Hock Kia, head and chief information security officer for Singapore’s National Library Board, agreed that the context of external rules and regulations plays a big role in how security policies are shaped.
“For example, the Library Board is in a unique position because it’s part of the landscape of government agencies, which means many of those systems are interconnected,” he explained. “So our security decisions are happening within that context.”
Accommodating corporate culture
Meanwhile, there are internal forces at play in this dynamic as well – namely, the corporate culture specific to your company and industry, said Sourabh Chitrachar, regional director of IT transformation and applications at Liberty Mutual Insurance.
“For example, if you are in a heavily regulated environment like the financial services industry or the insurance industry, that creates a culture of having data protection as a priority, and customer data cannot be shared,” Chitrachar said.
Ramesh Munamarty, senior executive vice president, technology and innovation at International SOS, agreed, saying this is especially true for enterprises that want to encourage employees to experiment and innovate.
“In order to drive experimentation and create a sandbox-like environment, security can become a constraint in terms of what you allow, what you don’t allow and so forth.” He said.
“You need to be able to design the right controls and ways to promote experimentation and then figure out at what point you should introduce security.”
However, Munamarty cautioned, “it’s not that easy because you do need to still deal with customer data while you’re doing the experimentation.”
Chitrachar concurred. “When you look at a company in the high-tech industry, or a start-up, then you cannot be heavily locked down because you need to provide that flexibility to the employees to be able to do things in a slightly more flexible manner, rather than a very rigid posture of ‘no, we cannot do this, we have to do this way’, because that will unnecessary create a lot of tension between IT and the rest of the organization.”
Employee pushback
As the Avi Douglen quote stipulates, that tension often leads to employees finding ways around whatever policies make their jobs harder to do, which leads to problems of shadow IT and potentially even more security gaps than you had to start with.
Even web browsing on the open internet can be a point of contention, said Alex Woo, head of Workspace Technology at CLSA.
“We know the internet is a dangerous place, so, usually security officers would design the proxy or the filtering policy to be quite restrictive. So, for example, most people could not go to web sites like gambling sites,” he explained. “But we’re a research company, so a lot of our analysts need to go to external web sites, right to collect information and grab reports. So there’s always fights between IT people and those analysts, who are really revenue-making people.”
Another common issue is the age-old BYOD (bring your own device) debate, he added. “Nowadays millennials going to work like to use their own Macbooks or their own smartphones. This is also causing a lot of issues and a lot of noise for us.”
The BYOD issue is relatively easy to solve these days – Woo said CLSA handles it by providing a containerized environment for BYOD devices. The point, Woo said, is that if you lock down the work environment too much, employees will push back with their own solutions.
“The proper approach to that is if you can’t control the way that they like to carry out their work, you have to provide a solution or workaround for them – you can’t just lock down everything,” he said.
Zhang of Bank of America added that designing security policies with corporate culture in mind gets even more complicated when you’re a multinational with branch offices in different countries.
“Technically it’s a lot easier for the company to apply a one-size-fits-all-policy. But we’ve got offices in 30 countries, and all of them actually have different working practices, whereby in Singapore we’re mostly in offices now, whereas overseas, a lot of people are on the go or whatever,” Zhang said. “There are different technologies suited for different purposes, so I think sometimes applying that one-size-fits-all approach is not up to scratch.”
No exceptions
Another takeaway from the panel was that the role of culture as an influence on balancing security with usability is something of a wild card in that culture itself is evolving as a result of digital transformation as well as market realities on the ground.
For example, observed Munamarty of International SOS, the steady growth of security breaches globally and the subsequent consequences has impacted security policies at the cultural level.
“Previously, for example, when you created security policies and compliance policies, a series of exceptions would be raised so all the executives would be marked out of that – they would they would be treated special, so these people don’t need to be under the same regulations or guidelines of the rest of the staff,” he said.
That’s starting to change as people become more aware not only of the risks of a breach or attack, but the fact that those risk are growing larger and the consequences more severe.
Exempting executives from security policies not only compromises that policy, it also sets a bad example for rank-and-file employees. As such – like with digital transformation in general – culture is evolving to a point where CXO buy-in for security policies is essential.
Chitrachar of Liberty Mutual agreed. “Earlier we used to design security policies based on exceptions. But now that is also changing, which is an evolution of the work culture and the overall culture in which we look at things.”