Overcoming Security’s Fundamental Truth & Problem
You’ve heard it before, right? “Security is inversely correlated to convenience.” This is not news. It is convenient to be able to sit right down at a computer and have access to all the data.
It’s not convenient to lock our car doors, shred our credit card bills, or drive at the speed limit. Yet most of us do these things (at least sometimes) because we want to keep our stereo, protect our identity and avoid dying in a traffic accident.
It’s this very nature that makes security so difficult for business people and IT folks to readily accept. Security really is hard. It is inconvenient. It takes a 10 minute process and turns it into 11, 15, 30 or 60 minutes. This is a hard fact. Why wouldn’t our business partners give pause when security comes with these kinds of burdens?
So, what can those of us in the security team do about this? First of all, we need to acknowledge it. Don’t pretend that security has no productivity cost. Explain to our business partners that yes, security does impact their productivity. Then lay out the pros and cons. A firewall will slow down the time to provision that new web service… but it will better ensure that the service can remain online (by preventing threats to its availability), the data behind it is not leaked inappropriately, and that the company can continue to function (by demonstrating security compliance to the necessary regulatory bodies).
Security negatively correlates to convenience, but remember, correlation does not imply causation
Admitting to the problem is the first step. The second is working to reduce this impact. Yes, we know that security negatively correlates to convenience. But never forget that primary rule of statistics: Correlation does not imply causation! All too often we forget that. And fortunately, there are ways to implement security that are convenient.
50 years ago seat belts were not universally allowed in cars. They were uncomfortable, restricting… let’s be honest, they were inconvenient. While the auto industry has tried to make them more convenient, it’s largely failed. (Is anyone a fan of those automatic seatbelts? I’m perpetually waiting for them to open or close.) As we kept our eyes focused on seatbelts, an interesting thing happened. Airbags emerged. Seatbelts are inconvenient. Airbags are not. Airbags allow us to increase our safety while we drive, just like seatbelts do, but they do it in a way that the user doesn’t even notice they’re there.
Information security is similar. No, we cannot eliminate the inconvenience to users, but we can find ways to maximize our security while minimizing our level of intrusion. Think about physical security. Years ago we all had a metal key to enter our offices. While not the epitome of inconvenience, fumbling for the key to get in often encouraged our employees to just leave doors propped open or unlocked. And if the key gets lost… forget about it. We had to rekey the lock and make a new key for everyone. But today almost all organizations use proximity cards to provide physical access. These cards increase security by allowing us to provide granular access to certain areas for individuals or groups, easily terminate a lost badge. But best of all, they do it while improving convenience for the end-user. It’s a lot easier to simply hold a badge near a reader than fitting the key into the lock. Easier for the end user and easier for the administrators.
Invest in areas where security can enhance the user experience
We in information security have a similar opportunity. While we cannot completely eliminate the inconvenience associated with security, we can capitalize on those areas where security can be improved while the user experience is enhanced, untouched, or minimally impacted. Before implementing a new security measure we should plot it on the User Impact chart. Enhanced. This is the sweet spot. But, it is also the most difficult conditions to create. Web filtering is a good example of a place where we have added both security and improved the user experience. By automatically blocking the execution of malicious code, not only is the system made more secure but the end-user does not have to deal with unexpected website actions, computer slowdowns and freezes. Remember back when websites could create an endless stream of popups? Our improvements to security have eliminated that annoyance and made surfing the web more enjoyable.
Status quo. This is the situation where we can implement security that is invisible to the user, requiring no additional steps or changes to their processes. Spam email filters, and well-tuned firewalls fall into this category. If they are implemented appropriately, the user shouldn’t notice that these systems exist.
Minimal impact. This category includes technologies that do impact the user experience, but do so in the smallest way possible. Adding in-line confirmation of choices, and requiring complex passwords are security measures that require some degree of inconvenience for the user, but do so to realize large gains in security.
The goal is to drive our security solutions further up this chart. As much as we can, avoid the red, productivity hindering areas. Reducing the degree of user impact is essential to creating a security program that not only reduces risk, but does so in a way that enables the business. As we evaluate which technology to pursue and implement, there are many factors, including threat analysis, financial implications, and business strategy. User acceptance should be included in that evaluation.
Strive to maximize the number of projects that enhance or have no impact on the user, and only implement solutions that negatively impact the user when there are no other acceptable options available. As information security searches for ways to show value to the organization, the fastest and easiest way might just be to stop hindering our employees’ productivity.
Cross-posted from Enterprise InfoSec Blog from Robb Reck