Lately I have been wondering if security vs. convenience is an unavoidable tradeoff; but after an opportunity I had this week to sit down at roundtables during the GTRA Summit with CIOs, CTOs and CISOs from across the U.S. government and private industries, I believe we can have both without compromise.
Each of these stakeholders was passionate about improving the security of their respective networks — not only to protect the data and users for whom they are responsible, but also to ensure compliance with FISMA and other cybersecurity legislation that has emerged in the past few years (no easy task). And yet despite their enthusiasm, I left each roundtable feeling more and more certain that as the threat environment continues to grow, those charged with the U.S. government’s cyber defense will only grow more overwhelmed.
When More is Less
It can be expected that U.S. government CIOs, CTOs and CISOs will continue to invest heavily in security technology as threats grow, but this increased investment comes at a cost. And I’m not just talking about the particular hardware or software that they are purchasing — additional security measures can also cost users an important level of convenience and efficiency. For example:
- More advanced content filtering software and increased blacklisting means less user access to information on the web.
- More advanced IPS (Intrusion Prevention Systems) means less user functionality in email, since most if not all links will be stripped for fear of phishing attempts.
- More advanced enterprise network monitoring and increased compartmentalization of information across the network due to fear of insider threats will slow down system performance and also limit access to information.
- More advanced multifactor authentication means it will take even longer to sign into systems and start working.
All this being said, there are very good reasons why C-suite executives choose to implement the above technologies and practices. But there is also no denying that diminishing a user’s experience impacts their ability to do their job efficiently and effectively, which, in turn, impacts the overall productivity of the agency or department.
Making User-Proof Security
The hidden cost of security and compliance is its impact on effectiveness and efficiency. And this cost only increases as the evolving work force demands access to more and more technologies and devices to accomplish their work (demands that often go unheeded because of the security risks they introduce).
So how do we enable effectiveness and efficiency to grow in parallel with security and compliance? Part of the solution could be for senior cybersecurity leadership to be more receptive to the demands of users, and appreciate the burden that the modern cybersecurity posture places on a user’s ability to get his/her job done. There is also a role for industry in bridging this gap as well. Providers of cybersecurity tools need to endeavor to build better solutions, ones that not only meet compliance and security requirements but also pass the user experience test.
While there is no simple answer to this question, I think it is possible to make easy to use and user-proof security. This was a key consideration that Ntrepid employed when building Passages: providing cybersecurity leadership with the comfort of knowing all browsing activity is isolated from the rest of their network, without users losing any of the functionality they enjoy in their current browsers. If other providers follow suit, hopefully CIOs, CTOs and CISOs will have greater access to technology that will simultaneously increase their security and enable their workforce.
Will this change happen overnight? Absolutely not, but recognizing it and discussing it more will hopefully allow the shift to take hold in time. If not, the gap will only grow, leaving organizations to choose between effectiveness and efficiency on the one hand, and security and compliance on the other. This is a losing proposition either way.