A Holistic Approach to Security and Usability
Unsettled Scales: Security vs. Usability
Just because balancing effective security with ease-of-use seems like an endless pursuit doesn't mean it's an unnecessary one. Both usability and security are important factors in a healthy workplace; finding a proper balance (that also takes cost into account) is a unique challenge of
Usability and security are so integral to IT that together, they make up a field of computer science study called Human-Computer Interaction & Security (HCISec). Some suggest that what makes this field so fascinating is that there is an inherent conflict between a system's owners and its users: users desire maximum ease-of-use while system owners desire comprehensive security.
It is not realistic to expect maximum usability and security. Well, unless you're willing to pay exorbitant amounts of money for
How to Make the Choice
Ask yourself: What do I need to protect and at what cost to my system's users? Risk assessment and protection differ depending on industry and enterprise. Some companies require new software or technology, some must implement a change in process, and some need to address behaviors and mindsets. The goal is to effectively protect data and assets without placing an unnecessary burden on operations, finance, and usability.
The truth is, you can't have it all. Increased security measures don't always result in increased security. A line must be drawn: where does securing the network begin to prevent productivity?
"[When security focuses] on assets and technical mechanisms,
not on the experience of users doing their work,
systems fail from day one and users immediately start working around
approved practices, which increases risk even further."
–Tsion Gonen, Chief Strategy and Marketing Officer at SafeNet
The more software and processes you implement for security, the more difficult it is for legitimate users to do their work. Often, as a result, users find ways to bypass security measures. For example, having to memorize 10 impossible passwords is going to result in employees keeping written reminders in their desks or wallets. It's only a matter of time before a list of passwords gets found by the wrong person.
We recommend being selective and focusing on your most sacred data and the highest risk. And once you've taken the proper measures to protect that data against that risk, let your employees in on the knowledge.
Security Goes Beyond IT
Communication is the great leveler between these two seemingly incompatible concepts. We hope someday we will be able to tell you that we are able to help you get all the security you want and increase
Security is not solely a technical challenge; people are the heart and soul of it. People create the data you want to protect, people will behave in ways that
One solution, then, is to be intentional about creating the security environment you
InfoWorld Media Group suggests five helpful dimensions of the new security model in their article, How to Rethink Security for the New World of IT:
- Narrow the information security focus to
core, critical assets
- Protect key assets with multilayered defense systems
- Engage the people who use
informationto protect the assets they work with
- Team with business partners to boost their (and your) immune systems
- Make security a business problem- not just IT's problem
You can read more about each step in their Deep Dive PDF.
It may sound like we're trying to shift security off of our shoulders as an outsourcer of IT and onto yours as a CEO or manager. In reality, we want to help you decide which technical security measures are right for you and implement them. But we also want those measures to be successful in the long term, and that means being more than an IT provider. We want to be your partner, helping you integrate security measures into the culture of your company.
A few months ago, we shared these findings of Xerox's "Dreaming Discussion," and today we're reminded again of the third result: technology needs to be part of the company's DNA. "Whichever technology solution a company chooses, it will never succeed without full management buy-in and the right attitude among users." Heightened security typically decreases usability, but that doesn't have to be the end of the story.