Chief security information officers (CISOs) agree that end-users are the most important people when it comes to ensuring a successful security policy that protects an enterprise against cyber-attacks.
However, despite the widespread acceptance that this approach is essential to safeguard against the growing array of threats, it also presents a problem that is difficult to address.
Senior-level managers and executives understand the importance of cyber-security; they've seen any number of companies lose business, money, and customers in the wake of a cyber-attack. They understand that attacks can and do impact on the bottom line and that in some cases, senior executives have to fall on their swords.
For mid-level managers and employees on the front-line, cyber-security isn't a priority; their overarching concerns are winning business, managing customers, building products, and doing all the front-line tasks that are essential in making any organisation successful. So when a message comes down from the CEO about the importance of cyber-security, they acknowledge it. But unlike at the senior level, fear of cyber-threats doesn't drive their behaviour. Rather, these messages are often seen as restrictions on their behaviour that inhibit their everyday effectiveness.
In practise this can mean many things but as an example, it may stop them from using certain apps or online services, such as services for project management, sales apps that flag up buying cycles, or marketing analytic tools that reveal where the most potentially lucrative leads are coming from.
These are just examples but they illustrate the point. If these apps or services haven't been sanctioned by the IT department, IT sees them as threats that can potentially compromise cyber-security. While this may keep the CISO happy, it stymies innovation, puts a handbrake on efficiency, and frustrates end users.
If security doesn't support innovation, it will always face an uphill battle for the hearts and minds of the line-of-business user. CISOs need to be on the shop floor looking at what technologies those on the front line are using, how they are being used, and the advantages they bring to an organisation.
They then need to ask how security can help further this innovation. They need to ask what they can do to secure the productivity-driving technologies that employees are already using in the business. Progressive CISOs are driven by the understanding that new tech, if securely integrated, is of great benefit. It's the opposite of retreating into the trenches.
We need to move away from the view of shadow IT in which CISOs see only horror and pain when employees bring new technologies into the workplace. The truth is that shadow IT is the biggest indicator of what employees want and what tools are helping drive the business forward.
Do you recall the first iPhone that was introduced in 2007? They were insanely popular and signalled the beginning of the smartphone revolution. Everybody had one and those who didn't, wanted one.
Apart from their innovative and aesthetic appeal, they were extremely powerful pocket computers and many front-line workers were quick to seize on the opportunities they offered in helping with everyday work tasks. However, they sent shudders down the spines of CISOs, horrified at the thought of sensitive corporate data exposed on these unprotected, “toy” devices.
Luckily, tools and technologies evolved to protect these devices and the data on them. Eventually, security professionals acknowledged the business innovation and flexible workstyles that smartphones enabled.
Today, smartphones are no longer a revolution; they are an established fact of everyday working life. Organisations that don't permit their use are typically viewed as being stuck in the past, and the best and brightest employee talent tends to give companies like this a wide berth.
Contributed by Ojas Rege, chief strategy officer, MobileIron
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.