Being a cybersecurity professional is roughly the digital equivalent of a being a crossing guard. The cross guard is there to keep everyone safe. But half a block down from that cross guard standing at a crosswalk are pedestrians that routinely jaywalk. Many of them know there’s a crossing guard up ahead. They more than half the population would rather not wait two minutes for that crossing guard to usher them across the street. That same scenario plays out in IT security every day. In fact, a new survey of 500 chief information security officers (CISOs) conducted by the research firm Vanson Bourne on behalf of Bromium, a provider of secure virtual machines for endpoints, finds that 74 percent of the CISOs surveyed said users have expressed frustration concerning security preventing them from doing their job. A full 81 percent of those CISOs said they have also been told security is a hurdle to innovation.
Cybersecurity professionals in an ideal world would be viewed as an enabler of safe innovation. The problem is unlike that crossing guard, cybersecurity professionals can’t see most potential threats. It’s like trying to be a crossing guard on a street where the cars are invisible and run silent. It’s little wonder IT security professionals are a little overzealous about protecting the IT environment. That zeal, however, has real consequences and costs. The Bromium report says IT help desks are spending on average of 572 hours a year dealing with complaints stemming from a user’s inability to access a Web site.
Not every one of those issues is the fault of the IT security team. Nevertheless, the Bromium report finds that 77 percent of CISOs said they feel stuck in a Catch-22 between letting people work freely and keeping the enterprise safe. A further 71 percent said that they are being made to feel like the bad guy for having to tell people that can’t access a specific piece of content using a corporate device.'77% of CISOs feel stuck between letting people work freely and keeping the enterprise safe' via @mvizardClick To Tweet
The issue that CISOs need to come to terms with is that not every piece of data or potential action needs to be afforded the same level of security. The level of security a pedestrian expects when crossing a street is radically different than what would be applied to the mayor of the town taking the very same stroll. Everyone in our society knows this. What people do expect is that in the event something does go wrong there will be some sort of emergency service readily available to save them. It’s the same with data. Not all data, applications and end users need to be protected equally well. But any security issue involving them needs to be resolved as soon as possible. CISOs are being held accountable for not detecting those breaches. It’s generally accepted that some number of breaches are going to occur. By the same token, everyone also knows on any given day a traffic accident or some other form of mayhem is likely to occur. They also know bad things can happen when they visit certain parts of the Internet. IT security professionals can advise them against. But when all is said and done there’s not much more an IT security professional can do than a police officer advising a tourist that visit some parts of town at their own risk. Of course, just like police and other emergency service personnel the job at hand then becomes containing the damage and cleaning up the mess.
CISOs should a take a cue from emergency services personnel. Most emergency services personnel would prefer to prevent bad things from happening to good people as often as possible. But emergency services workers know in their hearts they can’t prevent everything in the world that could harm people from happening. In fact, it’s that very thought that lets most of them sleep at night. Some days, of course, are going to be worse than others. But the good news is that most of them do indeed get through it.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.