When it comes to security policies, employees may often find them restrictive and a hindrance to work, while IT teams may feel marginalized and think their job to be thankless. In this article, Joanna Burkey, chief information security officer, HP, describes how CISOs can take this conflict as a springboard to reform security strategy.
There’s always been tension at the heart of any business. To unleash productivity, workers feel they need seamless access to online resources and collaboration tools. But this same access can be a major security risk. It’s a tension that has exploded into near conflict during the pandemic, according to a new HP Wolf Security study. On the one side are employees who are increasingly frustrated at what they see as overly restrictive policies. On the other hand, are IT security teams that feel marginalized and have come to view their job as a “thankless task.”
Yet, out of this conflict can come lasting, positive change if CISOs grasp the moment to push for reform. It’s time to listen more than ever to users, open the lines of communication, and build collaborative security partnerships that will ultimately drive down risk and create a foundation for business success.
A Ticking Time Bomb
Security often took a back seat during the last 18 months. Some 91% of IT teams said they felt pressure to compromise security to support business continuity. This is understandable at a time of tremendous uncertainty and existential crisis for many organizations. In many cases, prioritizing operations and productivity was the right call.
But this is harder to defend now that organizations are emerging from those dark days. In fact, as the hybrid workplace becomes de facto for most businesses, the same risks associated with remote working will persist. That means IT teams must find a way to manage insecure home networks, distracted users, unpatched endpoints, and misuse of corporate devices.
Yet, the optics don’t look promising. Office workers are apathetic at best towards security policy, with many increasingly frustrated at measures they see as a hindrance and a waste of time. At worst, these attitudes could coalesce into a major security risk. A third (31%) of office workers aged 18-24 claimed they’d tried to circumvent security in the past year. It takes just one misplaced click to land the enterprise in a world of trouble. At a time of heightened threats from ransomware, firmware attacks against notebooks and PCs, and vulnerability exploitation, it’s understandable why many IT teams claim these attitudes represent “a ticking time bomb” for a breach.
Friction and Risk
Users have a new set of expectations around the technology they use every day to do their jobs and are looking for a seamless experience that doesn’t hinder productivity. They expect things to work quickly and refuse to be encumbered, especially younger generations.
Having grown up in a connected world filled with seamless user experiences, their expectations of technology are sky-high compared perhaps to some of their older colleagues. Oftentimes they simply aren’t used to dealing with policies that restrict experience in favor of security. And they have a point. Who hasn’t felt frustrated with endless log-in authentication requests, blocks on opening email attachments, and restricted access to websites?
In many cases, the past months spent at home, perhaps accompanied by mounting uncertainty over their role, has amplified these frustrations. On the other side, IT teams are reaching their limit. Most IT teams (80%) said they’d received pushback from users. And many more (69%) said they’re made to feel like the “bad guys”, merely for imposing restrictions designed to make the organization more secure. As dejection mounts, the last thing organizations need is for some of their most important team members to throw in the towel. Doing nothing is not an option; it will only lead to mounting friction, enterprise risk, and unhappy workers on both sides of the debate.
Spreading the Burden
It’s time for CISOs to use this opportunity as a springboard to reform security strategy — with engagement, empathy, and collaboration as the watchwords. First, let’s improve communication with users to help them understand the rationale behind certain policy decisions. That simple knowledge can have a major positive impact on user behavior. Second, security teams need more support before they burn out. This means investing in new levels of endpoint protection that offer advanced visibility and remote management while being as unobtrusive as possible to avoid end-users trying to circumvent it.
Third, we must listen more closely to their users and consider adapting policies accordingly. Now that hybrid working is the new normal, it may be time to re-evaluate the organization’s risk appetite. This is a continuous process of evolution. As the workplace changes, so must its security strategy to ensure employees have the best possible support and threats are mitigated. Engagement with the organization’s youngest users will be critical to understanding how security impacts their workflows and set the business up for long-term success.
Ultimately, we must look to build partnerships across the business so that security is truly embedded into the organization’s DNA. Cybersecurity is an end-to-end discipline where everyone needs to engage, so continuous and comprehensive security and awareness training programs are a must. Building bridges in this way will help spread the burden of security and ensure users take on more accountability.
Cultural and organizational change of this magnitude won’t be easy, and it won’t come overnight. But with strong leadership and a commitment to two-way communication, it is certainly possible.