Looking at trade-offs between security and productivity, the hardest part is assessing risks and the outcomes of lowering such risks at various levels of security. The conventional approach is to analyse the impact of different security threats, and then assess the probability of them occurring. Unfortunately it is always easier said than done as we are generally bad at assessing high-impact, hard to predict, and rare events, which Nicholas Nassim Taleb, well-known professor and practitioner of tail risk hedging, calls black swan(s) in his New York Times bestseller of the same title.
Case in point are the breaches in Hong Kong's Octopus Card, and most notably, those via WikiLeaks - among others, where we see very real and well-documented psychological biases that make people under-estimate such events. Those biases (for example, my company isn't at risk of a security breach) distort the results of our trade-off analyses for privileged identity management, and whether or not to implement least privilege.
Most of the time, IT organisations end up relying on rules of thumb, past decision making experiences, and sometimes on sheer gut feelings.
The most common rule of thumb, and perhaps presumed safest is to follow the rules and regulations - that way you remain compliant with industry regulations and current policies. Effectively, this results in making compliance a substitute for security.
Which leads to the question, does compliance really constitute security? Is being in-compliance tantamount to having a secure IT environment?
Well for one, let me state that compliance is never a bad thing to begin with. The rigour and discipline that comes with it alone are critical elements of sound security strategies, and likewise sets the bar for IT administrators to formulate their policies.
For instance, comprehensive data privacy laws such as the South Korea Act on Promotion of Information and Communications Network Utilization and Data Protection already prohibits and imposes fines for the transmission of malicious programs that may harm information and communications systems, without justifiable reason.
We should, however, not be lulled into a false sense of security that by being compliant, we have done everything we could to optimise the balance between security and productivity.
Indeed, a keynote address at last year's Computer Security Institute's Conference highlighted the fact that virtually every organisation that had experienced a data breach was certified as compliant with major standards, such as that of the Payment Card Industry (PCI), within the previous year.
The solution may in fact lie in a willingness to reframe the problem of how to manage the trade-off between security and productivity. Sometimes seemingly opposing things actually interact in complementary ways, revealing their interdependence.
I believe you can implement security in a manner that actually enhances productivity. Here are some thoughts:
Sign up for MIS Asia eNewsletters.