Image

In an investment bank, a security manager comes up with a policy document outlining a list of authorized software, which can be installed on computers, according to the principle of least privilege: people can only have the access they require to perform their day-to-day activities and no more. All employees are denied access to install any new software without written permission from the security manager. John is writing a report for the client. The deadline is fast-approaching but he still has a lot of work ahead of him. The night before the deadline, John realizes that in order to finish his work, he requires a special data analysis software, which was not included in the list of authorized programs. He is also unable to install it on his workstation because he doesn’t have the required privileges. Getting the formal written approval from the security manager is not feasible, because it is going to take too long. John decides to copy the sensitive information required for the analysis on his personal computer using a flash drive to finish the work at home, where he can install any software he wants. He understands the risk but he also wants to get the job done in order to avoid missing the deadline and get good performance review. Unfortunately, he leaves his bag with the flash drive in the taxi on the way back home. He never tells anyone about this incident to avoid embarrassment or a reprimand.The security manager in this scenario clearly failed to recognize the employee’s needs before implementing the controls. A general rule of thumb to never forget is that employees will most likely work around the security controls to get their work done regardless of the risks this might pose, because they value their main business activities more than compliance with security policies. To address this, security managers should consider analyzing security controls in a given context in order to identify clashes and resolve potential conflicts adjusting the policy. They should also communicate the value of security accordingly. Scaring people and imposing sanctions might not be the best approach.They should instead demonstrate to the employees that they contribute to the efficient operation of the business when they comply with security policies. Not only does security ensure confidentiality and the integrity of information, but it also ensures that the resources are available to complete their primary tasks. Employees need to understand that security is important for achieving the company’s goals, not something that gets in the way. To achieve this, the culture of the organization must change. About the Author: Leron Zinatullin (@le_rond) is a business-oriented information security professional with several years of proven experience in security architecture and project management. Extensive knowledge and practical experience pertaining to analyzing and solving governance, risk, compliance, information security and privacy issues. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.