Information Tech

the reality of working in IT for the last decade

Careers

take charge of your career, before someone else does

Management

the realities and joys of being in management

Blogging

a fun project that turned into a hobby sometimes

Life & Times

we all get one shot at it, better make it count

Home » Information Tech

Some Thoughts on Information Security

Submitted by on January 11, 2011
Information Security can be taken too far and hurt those who it is designed to protect

The Information Technology and Information Security teams have a challenge balancing user productivity and need for information security.  These computer professionals have a duty and obligation to provide both user functionality and data security.  Unfortunately, these two objectives are often diametrically opposed.  One side of the house wants to empower the users to achieve high levels of productivity and the other side needs to keep a watchful eye for threats of accidental or purposeful information destruction, unauthorized modification, and outright theft of digital information.

Recently, the events surrounding Wiki Leaks prompted the Pentagon to ban removable drives from classified networks.  “The Pentagon said data transfers “routinely occur,” but didn’t disable removable media due to logistics problems” as reported by Barry Levine of CIO today.  Later the article goes on to note, “Users will experience difficulty with transferring data for operational needs, which could impede timeliness on mission execution.”  Even inside large and complex organizations information security and user productivity are often at serious odds.

The dividing line between productivity and security is never fixed and swings back and forth between increased productivity at the cost of sacrificing some information security and then a breach occurs where the pendulum swings back the other way for lower productivity and increased information security.  Personally, I have found this to be one of the most difficult mediums to find.  99.9% of all users are responsible with the information they access.  Unfortunately, a few disreputable people with duly authorized access to systems abuse the trust placed in them.  The actions of these small few people result in increased restrictions for all.

For most small to medium size companies, it is easier to side on higher levels of productivity and lower levels of security based on the demands of the business.  However, this is a myopic view of the situation and even departments with tight budgets need to take time and resources to complete a competent review of the information security requirements of the business.  If they fail to engage in a reasonable review, they will swing from one extreme to the other and flop between security breaches and overly restricted environments both of which result in lost opportunities and unnecessary hard dollar costs to the company.

In my career, I have sided slightly more on the increase productivity rather than increased information security.  That slight slant towards productivity is never extreme, and I make sure that I have an outside reviewer to act as a sanity check of my information security practices.  This is an area where the stakes are so high that every company should have some outside entity that will help guide and act as the security or productivity mediator.  The debates will sometimes rage on but the result is a good balance between user productivity and information security.  If any one side becomes too dominating, the business will pay an unfortunate price.

Leave a comment!

Add your comment below, or trackback from your own site. You can also Comments Feed via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

CommentLuv badge

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.

*