We are all familiar with the refrain that compliance does not equal security; well, neither does employee convenience. To be sure, any who has been in the workforce for more than a year or two have come across information technology (IT) teams that have, in the name of security, constipated their company’s processes and personnel. After all, if nothing moves, nothing is at risk. The legal teams in those companies must be ecstatic, but their customers? Well, when you wrap yourself in cotton and close the door, customers tend to be confined to dreams, not reality. And there you have it—why employees create shadow IT solutions and bypass all those cotton balls put in place to ensure nothing moves.
‘I Must Get My Job Done’
Sales and production are the two areas where the rubber hits the road in most organizations. If you aren’t selling, you should be making; otherwise, you are a cost center. Now the folks in IT and InfoSec are charged with providing the tools and environment to make sales and product hum like a well-oiled machine.
When that is not the case, then internal clients—employees—often do what they need to do to be successful in their job per the description: They improvise. Improvising by pushing collaboration to a third-party environment, piercing that cotton ball perimeter and putting the customer’s goods and services out there at risk. Heaven knows, configuring the AWS S3 is proving to be a challenge for experienced IT teams; imagine what happens when the accountant or marketing team tries to arrange the implementation?
Then We Have the Issue When Information Has to Travel
Do employees copy it to the company provided drive or cloud environment or do they figure it out themselves?
I strongly recommend that the company figures it out for them and provides them the tools. Why? According to a survey conducted by Apricorn, 80 percent of workers will copy company information to non-encrypted USB drives. Think about that: 8 in 10 will copy your sensitive information to a USB drive and you won’t be informed. Perhaps your data loss protection protocol will kick in and tell you?
Now the kicker: That same Apricorn survey tells us that of those 8 in 10 who are using the USB stick to shuttle data, 9 in 10 of those will not (my emphasis) tell you if they lose the USB.
Oh, happy day: Your information goes for a walk and you don’t have a clue that it is out there, let alone has been lost and is unaccounted for by your employee. Why? The employee needed a convenient work around to get their job done.
Security is Inconvenient
Yes, security is inconvenient, but it need not be a source of constipation. Instead of wrapping the employees in InfoSec cotton balls, the CISO should be bringing the stakeholder to the table. The processes and procedures evolved by the IT and InfoSec teams should be to enable and promote the success of the sales, marketing and all others. InfoSec is a revenue preservation part of the equation and thus a valued cost center.
When the client owns the process, then risks are identified and solutions reached, which obviates the need for employees to create their own shadow IT or to go off the reservation and place the company at risk for convenience sake.
When employees and partners understand the why behind a security process or procedure, then they are inclined to be compliant to the requested action.
IT and InfoSec can raise the tide and float all boats with the mindset of partnership and inclusion. And with such, the company will be conveniently secure.