Some Thoughts on Information Security
The Information Technology and Information Security teams have a challenge balancing user productivity and need for information security. These computer professionals have a duty and obligation to provide both user functionality and data security. Unfortunately, these two objectives are often diametrically opposed. One side of the house wants to empower the users to achieve high levels of productivity and the other side needs to keep a watchful eye for threats of accidental or purposeful information destruction, unauthorized modification, and outright theft of digital information.
Recently, the events surrounding Wiki Leaks prompted the Pentagon to ban removable drives from classified networks. “The Pentagon said data transfers “routinely occur,” but didn’t disable removable media due to logistics problems” as reported by Barry Levine of CIO today. Later the article goes on to note, “Users will experience difficulty with transferring data for operational needs, which could impede timeliness on mission execution.” Even inside large and complex organizations information security and user productivity are often at serious odds.
The dividing line between productivity and security is never fixed and swings back and forth between increased productivity at the cost of sacrificing some information security and then a breach occurs where the pendulum swings back the other way for lower productivity and increased information security. Personally, I have found this to be one of the most difficult mediums to find. 99.9% of all users are responsible with the information they access. Unfortunately, a few disreputable people with duly authorized access to systems abuse the trust placed in them. The actions of these small few people result in increased restrictions for all.
For most small to medium size companies, it is easier to side on higher levels of productivity and lower levels of security based on the demands of the business. However, this is a myopic view of the situation and even departments with tight budgets need to take time and resources to complete a competent review of the information security requirements of the business. If they fail to engage in a reasonable review, they will swing from one extreme to the other and flop between security breaches and overly restricted environments both of which result in lost opportunities and unnecessary hard dollar costs to the company.
In my career, I have sided slightly more on the increase productivity rather than increased information security. That slight slant towards productivity is never extreme, and I make sure that I have an outside reviewer to act as a sanity check of my information security practices. This is an area where the stakes are so high that every company should have some outside entity that will help guide and act as the security or productivity mediator. The debates will sometimes rage on but the result is a good balance between user productivity and information security. If any one side becomes too dominating, the business will pay an unfortunate price.