Usability vs Security

by Dan Strom on June 1, 2010

We can’t let employees use an Android phone. It’s not enterprise-ready!

A Mac? We don’t use those.

Flash drives are not allowed here!

We have all heard arguments like that.

For as long as I’ve been active with information security, there has been tension between non-InfoSec folks and technology users.

Users perspective – The tools and devices that the company provides just are not good enough. I use a <some device> at home and it really would help me at my job. In fact, I’ve already started using it for some work activities…

InfoSec perspective – The consumer device may be Really Cool, but we haven’t done a security assessment on it yet. Can the data on it be encrypted? What about a remote wipe of the data? We’re not going to allow that on our corporate network…

And so the tension goes on and on and on.

What ever happened to technology being an enabler?

So, what role does Information Security play?

  • Don’t allow unwanted traffic on the network.
  • Don’t allow unauthorized software on the workstation.
  • Don’t allow access to certain data.
  • Don’t allow unapproved devices.

That’s all pretty negative, isn’t it? Here are some random thoughts about what we should be doing…

  • Don’t forget that business exists for a reason. Our job is to help protect that business, not always to be like Nancy Reagan and “just say NO”.
  • Encourage personal responsibility to protect the business. It is the job of everyone.
  • Find out what the real deficiency is that the user is trying to remediate with the consumer device and address that real need.
  • Remember that there are legitimate times to take a stand and refuse to allow certain devices to be used in the company.
  • Regulation, such as PCI/DSS, SOX, GLBA, etc, exist to provide guidelines. Many businesses can be surprisingly flexible, even when these regulations must be followed.
  • But, don’t be afraid to do the necessary work to perform the risk analysis of the device, and maybe change policy or practice if the risk is at an acceptable level.
  • Finally, an attitude of working together can go a long way in helping the user to understand the issues surrounding their favorite consumer device.

That’s about it for my thoughts this week. Until next time…

- Dan

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.

Tagged as: InfoSec Function

Leave a Comment

Spam Protection by WP-SpamFree

Previous post:

Next post: