It happens every day. Another epic battle is waged between operational and security groups within a company. Today there were no casualties and everyone goes on to fight another day…but, why? Why do those internal groups continue to face off against each other when the topic of security is brought about? Operational and security groups sometimes have different points of view toward the way a company does business, but isn’t the main objective for both groups to ensure the long term success of the company? Clearly, there are many factors that can affect the success or failure of a company, but it seems one of the hardships companies are faced with most often, is balancing the operational group’s desire to process their business functions smoothly and efficiently with that of securing the corporate environment.
It’s no mystery why these two business functions typically have conflict. Most, if not all, security measures come at the expense of a feature, functionality or convenience of an existing business process. It is essential for an organization to carefully consider what they intend to accomplish from a security standpoint, and the potential impact that action may have on the overall functionality of the business unit to which it is being applied. The objective is to secure the environment as much as is humanly possible without blocking the flow of business in the process. Sounds easy enough, right? Sure, but due to recent headlines and the fear of being featured in the next big one, it is easy for companies to overcompensate and implement security controls too tight to be successful long term. A simple example would be to force end users to use 16 digit, complex passwords to access their workstations. Add on top of this the authentication and password management requirements of section 8.5 of the PCI ata Security Standard, which requires passwords to expire at least every ninety days and to disallow any end user to setup a new password that is the same as any of the last four they have used, and you have a very secure authentication process, but a business functionality nightmare. It is not only likely, but probable that network security actually becomes worse rather than better due to passwords being written down and “hidden” under keyboards or in desk drawers. Of course, most companies don’t require a 16 digit password, but without taking into consideration the way business processes are affected by security measures, one can see how the overall effect of security can be greatly diminished.
So what’s the magic recipe for success? The variables for success will change based on the environment, but there are things you can do to help eliminate the ongoing struggles. The most important one is to work towards finding a balance between operational flows and corporate security. An important way of introducing that balance is to involve more people in the security decision making process. Form a committee to discuss potential risks and work as a team to construct solutions. Include departmental managers affected most by changes in security and those who have a vested interest in seeing the company succeed. Try to avoid filling every chair in the room with a security expert. Diversity amongst the committee members will prove effective in keeping core business functionality from being a forgotten topic when deciding on a security solution. At the same time, don’t loose sight of the fact that securing the environment at risk is still a primary objective. Take into consideration the business needs of affected areas, but don’t be tempted to let convenience out shadow security. Find an acceptable balance between the two. Use the committee to discuss any side effects the proposed security measures may bring with them. Doing so will keep members informed of proposed changes, and will set realistic expectations of the end result. Departmental managers, executives and other committee members will appreciate the opportunity to take part in the decision making process, and are more likely to embrace the new security policies because of it. The key is to work together as a team to find an overall balance when developing your security solutions. It not only helps prevent unforeseen setbacks to critical business processes due to unrealistic security policies, it significantly increases the solution’s chance of being accepted company wide, resulting in a more successful security solution long term.
|
