A recently released survey by Luxemburg-based “contextual security technologies” provider Balabit, drew some results that are certainly thought-provoking, if not a bit unsettling. The BalaBit survey is based on interviews of 381 conference attendees at the EIC (European Identity & Cloud conference 2015) in Munich, InfoSecurity in London and Moscow, Les Assises in Monaco, Confidence and IDC (News - Alert) Security Roadshow in Poland. IT executives, auditors, CIOs, and CISOs participating in this survey represented organizations including the telco, finance, government and manufacturing sectors. Below are some of the results of the survey.
When asked about their preference if asked to choose between IT security and business flexibility, 71 percent of respondents said that security should be equal to or more important than business flexibility.
But, when asked if they would take the risk of a potential security threat in order to achieve the biggest deal of their life 69 percent of respondents said they would take the risk, while only 31 percent said they would not.
“These results show that organizations have a long way to go to balance security and business” said Zoltán Györko, CEO at Balabit. “They demonstrate that while security overload may be tolerated during normal business, when it comes to big deals the respondents would not hesitate to bypass security to win business. It is important that this is recognized as an issue and dealt with accordingly.”
This is not surprising. After all, human nature, or possibly specifically that of high level executives, typically will put self-interest above the common welfare. And, as my conversations with CSA members illustrate, the real trick is to create an environment and culture that strikes a healthy balance of IT security and business flexibility. Indeed, the real art from IT professionals comes in accomplishing this in a manner that does not impose onerous processes on users. In fact, such processes serve as poster children for what not to do. They invite lack of cooperation by insiders.
As Balabit points out, this lack of cooperation/trust by insiders fosters security bypass practices by insiders, which raises the real risks we all read about regarding what happens when there is privileged account misuse.
Balabit cites recent Ponemon Institute research on the cost of data breaches, which highlights that criminal insiders cause the most data breaches. The conclusion is that, because insider misuse cannot be spotted by existing control based security tools, a different approach is required.
“The survey shows that security strategies must take into account human behavior” continued Györko. ”Today’s static control solutions can only go so far. Security teams must have visibility of the context of user actions to be able to respond effectively, and any additional tools must be transparent to the business workflow. We believe that a monitoring based approach that enables companies to respond to suspicious activities in real time can make IT security more business friendly; that is why we developed our Contextual Security Intelligence Suite.”
For years, a common mantra in the technology industry has been that “content is king.” What we are busy finding out is that, when it comes to enterprise security in general, and increasingly regarding cloud and hybrid cloud/on-premises security, context is “mission critical.”
As this survey illustrates, IT security professionals have to be much more than technologists. They have to understand human behavior, and possibly incorporate behavior modification skills as well. It may sound cliché but, the bottom line is the bottom line. While IT security professionals have the responsibility and accountability for risk mitigation, finding the sweet spot that gets everyone on board with following best security practices when it and doing so in a manner where you are viewed as friend and not foe is a balance that is not easily struck.
That said, one can only note that, when it comes to dealing with C-levels, awareness is the first step toward sobriety. This survey and others like it, combined with headlines and, unfortunately, a growing body of first-hand experience, should help IT security professionals in their discussions with C-levels and line-of-business (LOB) heads. This is true even in Europe, where the survey was conducted, and where privacy laws are very strong and data protection issues have become paramount, but where the survey, nevertheless, found that the art of the deal was seen as more valuable than the art of risk management. In short, we do have a way to go in getting the balance right.
Edited by Stefania Viscusi