In business today we all struggle with the need to improve business efficiency and productivity, as well as reduce costs in order to ensure a stronger bottom line. The problem is, how do we address these priorities and manage risk at the same time? Managing risk and protecting the brand are not always top of mind as we are focused on shareholder returns.
In my experience, the number one issue is cultural conflict whereby most senior executives including the board of directors, often continue to see information security or risk management as an IT problem, or worse as a technology problem, as opposed to a business problem.
Business leaders should acknowledge that they need to manage security risks in the same manner as they manage financial risks, and give security the high priority and funding it warrants.
Another conflict come from the age-old struggle between usability and security. I’ve been involved in information security for over 30 years and I’ve seen this many times, where senior executives and staff see security as an inconvenience. Many times I have seen that the IT staff create a secure environment but executives and staff start demanding that these controls be relaxed so that they can perform their job.
When senior executives perceive that a security program will make their computing experience more difficult, it’s often hard to overcome that perception. However, the security team is still expected to keep the enterprise secure.
Another areas where the challenge lies is with middle management and project staff. Often these are the people under high pressure to get projects completed quickly and efficiently, and they’re looking for shortcuts.
Bring-your-own-device (BYOD) issues have created their share of conflicts between security and business executives. When the iPad first came out the first people who wanted to carry them around were the senior executives. How do you secure this? Everyone was trying to figure out how they could get a device that wasn’t ready to deploy securely. People want these cool new tools or devices like that, without giving thought to the security issues.
Security if done well should provide protection in a user-friendly way. Security doesn’t have to be an impediment to getting things done. It can enhance productivity at the same time as providing data protection.
It’s imperative for the IT executives to partner with business leaders to help them comprehend the correlation between the expenditure on information security and how it enables the other business units to create, implement and deploy their business initiatives in a secure fashion.