Anyone who has ever been responsible for an organizations’ IT knows of the Catch-22 paradox, those situations with conflicting key requirements that can appear to be at odds with one another. A prime example of this is the balancing act that IT leadership must walk between ease of use and security. As a professional responsible for an IT department, you live your life in the service of two immutable requirements; efficiency and security.
Efficiency versus Security
We often hear “End-user ability to get their work done is key, that is how our business makes money. Our systems must enable our end-users to be as productive (and profitable) as possible” while simultaneously hearing “Our systems must be secure. There is no excuse if systems are compromised, if they are not available or if we cannot rely on the integrity of the data.”
Security nearly always comes at the expense of convenience and efficiency. Many times, management is unsympathetic to the plight of the IT Manager shouting into the wind about the importance of various safeguards and training in order to protect the environment, and instead are only concerned with maximizing the efficiency / easy-of-use of the system. But simultaneously, will waste no time in holding the IT Manager accountable if an issue occurs which could have been easily avoided or mitigated had management elected to implement the safeguards recommended by the IT Manager. Below are a couple of industry examples our clients have faced.
Catch-22 in Healthcare
In some instances, there are genuine life-or-death considerations that must be taken into account, and the appropriate calculus to apply becomes fuzzy. For those in the IT security field that have done work for healthcare providers, when advocating for the implementation of various security controls you have undoubtedly heard a physician make a statement similar to, “If I have a dying patient in front of me, I don’t have time to jump through security hoops to gain access to their medical records.” In those situations, one can understand the argument. If we were lying on the table in need of emergency care, we too would want the doc to be able to quickly access the EMR system and have access to the information necessary to swiftly treat us.
On the flip side, our medical records are one of the most private aspects of our lives. We expect our providers to go to great lengths to protect our information, and the HIPAA / HITECH Acts provide for punitive action if due care is not applied to the protection of our medical data. As any sizeable healthcare provider will tell you, one of the most prevalent causes for immediate termination is when an employee accesses a health record of a patient who is not in their care (e.g. accessing the record of a friend/family member, or a celebrity that may have received treatment.) So where is the appropriate balance between efficiency and security when it comes to protecting our medical records?
Catch-22 in Financial Services
There are also instances where there are not mortal or privacy concerns, but simply a profit concern. There was a financial services client that had instituted a policy that end-user passwords would never expire or never had to be changed. Moreover, there were no password hardening features (minimum length, special characters, etc.) in place, and in many cases, passwords only consisted of a few characters. Examining the password histories, we also noted that most end-user passwords had not been changed in many years.
The client’s argument for their position was that periodic password changes would cost the company hundreds of thousands of dollars’ worth of lost productivity per year and that requiring complex passwords would create additional inefficiencies if end-users were unable to remember their passwords after changing them. Many of us questioned this dubious calculation, including IT management who had consistently, but ineffectually, crusaded for more robust security controls. However, executive management was determined to accept the risks this posed to the organization without implementing any mitigating or compensating controls.
Predictably, this client had a data breach and their systems (including some customer data) were compromised. When the dust settled, it was determined that the breach was due to one of the employees utilizing the same password for their company account as they used personally for several websites. Moreover, this individual also admitted that they had been previously informed by one of these websites that this password had been compromised, but the individual did not take action to update their company password because they did not realize the severity or risk for additional breaches.
There were many failures here, the largest being user education, which was also likely disregarded due to cost or inefficiency concerns. Password expiration or hardening requirements could have helped to prevent an event such as this from happening. At the end of the day, this incident cost the company many times what their (imagined) cost of the security controls would have been. Perhaps worse was the reputational damage to the company which would be more difficult to quantify and have longer-lasting effects. The one phone call you hope you never have to make is to your clients informing them you lost their data.
How to Overcome the Paradox
Overly engineered, burdensome, or self-defeating controls can cause more problems than they are meant to prevent and have detrimental impacts on the end-user’s ability to efficiently perform their job. Conversely, insufficiently designed controls can be ineffective in protecting systems and data and can likewise result in issues. Properly understanding your technology risks and balancing those with your operational requirements can be a difficult process and can be more of an art than a science at times. Below are a few recommendations we suggest as starting points for this process.
Develop an IT Steering Committee
Make your business process owners part of the solution and be sure to give them a voice. An IT Steering Committee (ITSC) is an outstanding tool for helping to ensure IT alignment with business objectives, regulatory requirements, and IT best practices. Moreover, it can be an ideal venue to facilitate an ongoing dialogue with end-users and the groups can work together to determine how best to implement safeguards and processes. You are much more likely to gain compliance and internal advocates when these stakeholders are included in the decision-making process.
Create Communication Opportunities
One of our client’s IT groups instituted a “Coffee chat with IT” weekly event. IT provided coffee and donuts and invited employees to come to ask questions, get help with a problem, or just hear about what the IT department was working on. They were determined to move from an “us and them” mentality, towards that of a “we are all in this together” mentality. As a result of this program, they noticed a significant decrease in the number of help-desk tickets and IT-related incidents and gained a better understanding of how the IT organization could help the business best achieve their objectives.
It is easy to give in to the “complainers” within an organization who are the first to gripe about anything they perceive to be an obstacle to their peak productivity, but the last to put any effort into identifying possible solutions. It is critical for management to overtly demonstrate their commitment to both efficiency and safe computing practices by not giving in to this type of group. Management must encourage a culture where there is mutual respect for both security and operational objectives in addition to recognizing those individuals who work together to jointly develop solutions to address both requirements.
There are several other ways our clients have worked through the process of understanding and balancing their technology risk and operational requirements. This article contains some tips for additional activities that you might find useful in your endeavor, including conducting a risk assessment, needs analysis, and so on.
We are here to help! We would love the opportunity to discuss your needs and requirements to help you manage your technology risks. Each business is different, and we tailor our approach based on the unique needs and characteristics of your organization. If there are any questions that you might have please feel free to contact us.