Feature InFosec
Water Will
alWays Find a Way
Your workforce will always find ways to circumvent your
security policies - so maybe it's time to help them?
Christian McMahon, Jamaza
Christian McMahon is Managing Partner - Board & CIO Advisory at Jamaza bvba, with 20+ years of influential
leadership experience in building value and revenue-generating multinational IT organisations. He is a regular
writer for Outsource online.
J
ust like water will always find a way
through or around any obstacle,
so will people find a way around
any security measures you seek to
implement. You may think you have
thought of the most foolproof method
of managing your data, but as soon as you
implement it and ride out the first wave of
direct (and often blunt) feedback, people
will start beavering away on ways to get
around your processes. Anybody who thinks
otherwise is only fooling themselves and
will be rudely awakened when a security or
other serious data breach occurs.
The best way to remedy this and
eliminate it as best you can is to create and
reinforce an educative program that informs
people of the reasons as to why you are
having to implement these policies and not
just labouring on the pitfalls of not adhering
to your security policies.
As time-consuming and labour-intensive
as it sounds, a period of open discussion
and feedback sessions will alleviate some
of the staff objections prior to drawing up
your policies and generate an enormous
amount of goodwill.
Everybody appreciates there needs to be
some level of security, especially in heavily
regulated or security-conscious industries,
but nobody appreciates dictatorship levels
of oppression when they are not completely
necessary. Simply saying it's a disciplinary
offence to not adhere to these policies
without explaining them thoroughly first or
taking an objectionable point of view on
board will alienate you from the very people
you are trying to protect.
We've all been asked by staff across the
organisation if they can use third-party file
sharing services like Dropbox to share data
etc. and had to refuse them on security
grounds. We all know they use these
services (and you probably do as well)
and trying to implement an internal, secure
enterprise version of a similar technology
is very time-consuming to manage and
expensive - not to mention extremely
difficult to secure.
Smaller companies with less-advanced
infrastructure will often use third-party
file sharing services as a low-cost and
logical extension to their infrastructure. The
security risk to their IPR is no less great
than larger corporates but they thrive on
the nimble and agile gain that using these
services gives their businesses.
When new individuals join your
organisation from these smaller and more
agile businesses through acquisition or
organic growth, they will quickly challenge
any seemingly draconian procedures you
have in place. They will challenge you that
their agility and productivity is being stifled
by these procedures with the very valid
reason they are often brought in to disrupt
your existing business working in precisely
the way they need to.
We need to take on board these
new types of people and the roles they
perform, adapting the necessary rules
and procedures to allow them to go about
their business rather than stifling them
with regulation. This is challenging and
a bit scary but as long as your security is
not diluted too far, adapting to incorporate
these new roles and working practices
will show your willingness to change and
adapt and will not go unnoticed across the
organisation.
In the new arena of change and
disruption, those who adapt will thrive and
those that don't.... Well, you know how that
story ends.
"In order to create lasting security you must learn to stand in your truth." - Suze Orman
www.outsourcemagazine.co.uk
●
●
●
●
85
http://www.outsourcemagazine.co.uk
Table of Contents for the Digital Edition of Outsource Magazine Issue 34