For those of us who perform any functions in cybersecurity, you know how much of a challenge it can be to strike a balance between needed levels of security and a happy customer base. The two are often at odds, considering that they are usually diametrically opposed.

The CISO and his minions seek the utmost in security. Constantly changing passwords of a high complexity. Locked down VPN capabilities. Stringent standards for wireless networks. Strictly restricted device lists, in terms of what can-or can’t-be on the corporatre network.

The user? They will want pretty much everything the cannot have, and then some. Strong passwords? Who has time for those! Complex passwords? Sure, but don’t be surprised to see it on one of their Post-It notes on their desks. And if you told them they can’t use it at work? Guess what’s in that Amazon box that just arrived…

Now, that’s more than likely the worst case scenario, and not reality. But if you are in a position where you are either implementing a totally new and comprehensive security policy, or tightening up an existing one, it may not be that far off. It can be a painful transition, not unlike pulling teeth. But in this respect, the massive breach at Sony and others has actually been a blessing. I had a chance to sit in on a meeting recently where a high maintenance user group was becoming beta testers for a new wireless network, and while the new endeavor was undertaken in part to make connecting to the wireless easier, and performance better, all the users heard was “new security” and the resistance was similar to a dog getting into a car to go to the vet.

But in order to drive home the point, their director reminded them that no one wanted to be “the next Sony”. Simple, but direct and true. Aside from using the stark example, how can you strike the needed balance?

• Communication is key. If you get the word out and make the users think they are invested in the process, it can boost adoption. Allow them to think and feel as though they are an integral part of the process-even if you are herding them toward a desired outcome. If all you do is manage by edict, you will feel the backlash.
• Understand the user issues. Yes, you know very well how to secure things around your needs. But do your needs encompass the entire enterprise? While the answer may sometimes be yes, it’s more often going to be no. Different departments have different needs. Someone might actually, for some odd reason, need to use Yahoo or access some questionable sites (for “research”..). You need to balance those out. Restrict what you can, keep separate what you need to. When you have to go in a specific direction, be clear about the reasons (security or otherwise).
• Be constantly adapting. As a wise man once told me, “Semper Gumby”. Always flexible. What the needs are of your organization today, will probably not be the same needs in a week, a month or a year. You need to always be adapting to the ever-changing security landscape, both in terms of what your end users are doing or need to do, and what threats are out there. Failing to be flexible will doom you to a failure at some point. It’s inevitable.

I readily admit that it’s the easy thing to say that it’s your way or the highway, but generally that doesn’t fly. Make a policy too strict, and watch all the users turn on their wireless hotspots (which then, of course, degrades your corporate wifi, creating another issue altogether). But I assure you, if you are strong in communicating the whats and whys of your plan, you are understanding of your users and are willing to be flexible, things will go much more smoothly than not.

 

BACK TO BLOGS