A few weeks ago, Bob Lewis wrote some provocative words over at InfoWorld that most security pros probably find pretty hard to stomach. In an article entitled: BYOD and the hidden risk of IT security, Bob basically called out most “bring your own device to work” security strategies as being more damaging to enterprises than helpful. His subtitle said this: “When employees use personal devices for business purposes, too much security can create more risk than it prevents.”
Wow! He got my attention. But I’m struggling to get to the same place as Bob. I’m still looking for the preponderance of large enterprises that have the “too much security on smartphones” problem. I wish he had provided some compelling examples.
Nevertheless, Mr. Lewis makes several excellent points at the end of the article that I’d like to highlight:
“Risk comes in two forms. Some risks are possibilities of increased costs; the remainder are risks of decreased revenue. The former gets the most attention because those are the ones that happen in big bites -- and are the most visible.
But risks that lead to less revenue are arguably more important. They come in such forms as customer dissatisfaction, reduced innovation, poor collaboration among employees and with business partners and customers, and employee apathy.
Information security has, for the most part, focused its attention on the pitfalls of increased cost, which has led to its being one of the biggest sources of revenue risk”
He’s absolutely correct. Even though I’ve never seen a state or local government that spends too much on cybersecurity overall (most of us spend under 2% of total IT spend), governments can still over-protect in a particular security area. I do believe that government enterprises need to periodically assess whether our precious tax dollars are being spent wisely and in a manner that helps the business by enabling innovation. Perhaps too much is being spent on old technology and not enough on the new. When security controls are put in place, are those protections overbearing on staff? As the age-old analogy goes, a patient can die from cancer, but a patient can also die from too much chemotherapy.
So what is the “right” level of security? How do you know if you have gone too far, or not far enough in protecting critical systems? Do all business functions need the same level of security? These questions can get tricky due to the “weakest link” challenge – where attackers can gain network entry by accessing your least protected department.
No doubt, security requirements vary from business area to business area within government. Protecting health records, social security numbers, credits cards and other sensitive data often requires specific legal controls and compliance policies. Protections will likely be different in areas that require access to sensitive data from other areas of government that share data openly with the public. Bottom line, security professionals need to know the business requirements and the business needs before making those judgments.
These “right level of security” questions also bring us back to where we started in this three part series on customer service. It is important to benchmark our technology operations against peers and/or even against the best operations in the world. One big part of any assessment includes business customers who need to be at the table throughout the assessment process.
For specific situations, such as bringing personally owned smartphones into work, I am a believer that a “one size fits all” approach will likely not work in most state governments. For example, our criminal justice organizations in Michigan are not supporters of BYOD policies, while some government departments (like Education in Michigan) think BYOD is a good idea and want to encourage more uses of personally-owned devices. These different perspectives are coming from the business side. Regardless of the viewpoint, ensuring appropriate seats at the table for business areas during policy formation discussions is paramount.
One more point, security organizations can even offer the customer better service by working together to achieve the right result. This theme came across almost five years ago in this TechRepublic blog: Security and customer service go hand in hand. Here’s an excerpt:
… I ran into a similar situation two years ago, at a law firm in Washington, D.C. There, the manager of the help desk told me that although the telephones in the firm had caller ID capability, this capability was lacking in the phones of the help desk. When I asked why, she said that some help desk analysts were deliberately avoiding the calls of “challenging” callers. By suppressing caller ID, she reasoned, this problem would go away. I responded by suggesting a better approach, namely to help the staff deal with these challenging callers, and to speak with those callers and their supervisors. In addition, I pointed out the possible unintended consequences of this policy: that the help desk analysts might become more reluctant to answer ANY calls at all.
So it is with the users who circumvent IT. It’s wrong, of course. However, remember that there’s a possible business reason for why they’re doing it. Consider talking with them to find out their needs. In particular, be creative and try to come up with alternative solutions that allow them the information they need, but which still leave your security infrastructure protected.
In conclusion, while the customer isn’t always right on security, perception is often reality. I sure want them to feel good about the systems, people, processes, policies and networks being deployed to protect their people, systems, processes, networks, products and information. We need to patiently explain the options and the risks to the business, and they need to make the goals and potential benefits clear us as well. Our vendor partners who offer security services learned this lesson as job one a long time ago. we need the same approach when working with agency customers.
Over time, good security service is good customer service. We are custodians of their data. We need to get buy-in on the security approach. Excellent customer service includes two-way communication at every stage of the process. Building trust between the security team and business areas is what we do.
Any thoughts or stories to share on excellent security customer service?