Sergey Nivens - Fotolia

Tip

How to balance organizational productivity and enterprise security

It's no secret that enterprise security and organizational productivity can often conflict. Peter Sullivan looks at the root causes and how to address the friction.

In the business world, there are a relatively small number of things that can be done to increase profitability from a given level of revenue or income. Two well-known strategies for increasing profitability are to reduce expenses and to increase organizational productivity.

Organizations expect their employees to perform work and carry out tasks that help the organization meet its mission, as well as to produce products and services that are delivered to customers to generate revenue for the organization. Basically, employees represent labor expenses, and they are expected to be productive for the benefit of the overall organization.

While productivity is a measure of the efficiency of an organization, a simple measure of organizational efficiency is revenue per employee for a given period. Using this system, a higher level of organizational efficiency, or productivity, is demonstrated by increasing the revenue per employee ratio. A higher revenue per employee ratio also indicates higher productivity and a more efficient use of available resources.

Of all the resources required to produce products and services, employees are usually the costliest resource, representing the largest operating expense. Therefore, a higher measure of employee productivity also represents an efficient use of the employee expense. If employees are one of the most important factors in measuring productivity, and they are also the most expensive resource, then it is clear that maximizing the effective use of human resources is a critical element in improving the efficiency of an organization, as well as improving productivity and profitability.

Information technology and employee productivity

Another important resource that organizations need to deliver products and services is information, as well as the technology that supports information. Information technology (IT) as a business function is dedicated to providing the enterprise with the tools and technologies needed to become as productive and efficient as possible. Without the right information available when it is needed, employee and organizational productivity can be seriously affected.

Another function of IT is to secure information against attacks, errors and outages. Obviously, it is important to protect information resources in order to protect organizational productivity.

Protecting information in order to protect productivity is in addition to the need to protect information because of its value as intellectual property. This also helps protect the security and privacy of employee, customer and financial information.

The information security paradox

The information security paradox exists when the controls used to protect information required to conduct business also make it difficult to access and use the information. The information security paradox is a conflict between organizational productivity and security. The underlying paradox is that information must be available and shared to be useful, but information security demands strict rules for access and availability.

The conflict between productivity and security is further exacerbated when taking into account the expenses of providing security, as those expenses also reduce organizational efficiency and profitability.

When an organization writes plans, policies and procedures for information security, and it implements other administrative, technical and physical information security controls, it is trying to protect information as a critical asset that is needed for business operations and continuity.

Ideally, various security controls are implemented to protect information. The business processes that require information also inform, instruct and set expectations with employees and business partners as to their role, and the critical nature of their role, in protecting information that the organization needs. Equally important is that these information security controls do not negatively impact the ability of workers to perform their day-to-day tasks.

The reality is often far different, however. Instead of making it easier for employees to do their work efficiently, without having to be uncertain of their role in protecting information, security controls are often an impediment to effective and efficient work processes and workflow.

A global security survey conducted by Dell found that 91 percent of business respondents believed that IT security negatively impacts their productivity. The required use of multiple passwords and additional security for remote work were frequently cited as security controls that negatively impact productivity. In the same survey, 70 percent of IT professionals said that employee workarounds to avoid security are the biggest information security risks to their organizations.

Employees as security decision-makers

Information security requirements may put employees into roles that are wholly inappropriate for them, and which are counter to their work. For instance, workers are now put into the position where they are routinely expected to make security decisions that may affect security throughout the organization and may expose the organization to grave levels of risk. For example, non-IT workers are expected to analyze emails for signs of phishing attacks or the introduction of malware through attachments.

Risk-based security decision-making

Risk-based information security decision-making establishes a level of security for information that takes into account the damage that might be caused by the loss, abuse, improper access to or modification of information.

To be able to implement risk-based information security decision-making, an organization needs to have an IT risk management program and knowledge of its most important information assets. That knowledge needs to be coupled with an understanding of the impact to the organization if these assets are compromised, as well as the impact security controls can have on worker productivity. Once that is in place, there are some technical controls that can reduce the impact on employee productivity, while providing needed security.

Single sign-on

Single sign-on (SSO) is a type of access control system that enables users to log on once and be granted access to multiple information and network resources. Because SSO can enable widespread access, it should be combined with multifactor authentication systems to reduce the impact of lost credentials.

Role-based access control

Role-based access control (RBAC) is a method of restricting access to systems and information to authorized users. With RBAC, permissions are not assigned to users, but are attributes of the user's assigned role.

With its attributes of role assignment, role authorization and permission authorization, RBAC systems can simplify user rights management. Thoughtful design of user roles can ensure the user is granted access to only the resources required for their job, and separation of duties can be automatically enforced. RBAC systems are also compatible with mandatory and discretionary access control systems.

Automated email monitoring

Regardless of how much awareness and training employees receive on email phishing, emails with unwanted and malicious links and attachments can get through. If any employee -- even a security-aware employee -- is presented with enough phishing emails, eventually, someone will click on a malicious link or attachment.

Email security gateways can ensure that malicious links and attachments never appear on a user's desktop. Email gateways can also screen for spam emails before they go beyond the network perimeter.

Context-aware security

Context-aware security is an access control mechanism that focuses on the context of the security request, and it can make real-time decisions regarding granting or denying access.

The contextual elements used to make access decisions include:

  • Who is the user?
  • What is the user requesting?
  • How is the user connected?
  • Where is the user?
  • When does the user need access?

The use of context-aware access control often complements other access control mechanisms, such as RBAC systems.

Conclusion

Organizations are obligated to maximize profitability. Profitability is closely linked to expenses and organizational productivity. Employees are a double-edged sword in that they are responsible for productivity and also represent the greatest organizational expense.

As the Dell survey shows, information security and productivity are often at odds with each other. To protect both productivity and information security, organizations need to take a risk-based approach to security that accounts for the business value of information, and which minimizes the impact of security controls on user productivity.

Next Steps

Read more on the importance of managing risk to prevent data breaches

Find out how to set up a security operations center in your enterprise

Discover the enterprise benefits of secure DevOps practices

Dig Deeper on Security operations and management