Let’s get real about security
The old tagline of security being too “big brother” has devolved into a blanket excuse to avoid thinking critically about security policies and protocols in our increasingly digital world. We’re living in a world where a growing majority of us are using multiple social media platforms, smartphone applications, and cloud computing tools, and inviting nosey robot assistants into our homes. The number of sensors, microphones and camera lenses capturing information about us has never been higher. And, within reason and with a reasonable level of transparency, we tend to accept the privacy/productivity tradeoff. Why not extend the same rationale when evaluating corporate security programs?
Security teams can and should monitor company assets, protect their data, and be responsible stewards of the data of their customers, partners and employees. It’s OK to let security teams do their jobs and we should have high expectations of our employees when it comes to following the rules. This is a completely legitimate expectation. Employees need to hear that and companies shouldn’t be afraid to say that. We don’t need to tiptoe around the subject—if you’re using a company computer, company networks, company data and resources, you should expect your employer to be watching and protecting their assets. In fact, you should want them as both an employee who’s employment and paycheck depends on the continued success of the company, and as a customer of many other companies that have employees just like you.
Responsible security is about balance, transparency, respect and accountability
There is a balance that needs to be achieved in order to make this arrangement work well for both employers and employees. Some security approaches may introduce an unnecessary amount of personal intrusion. The key is to responsibly define the line between work/personal, and then aggressively pursue security around work items. We’re rapidly entering an era where employees have a choice of which device to use for what purposes—if they aren’t comfortable with corporate monitoring tools, they can use personal mobile devices, tablets or home computers for personal activities. The idea that employers should provide technology assets to employees and then feel restricted in terms of protecting those assets defies logic.
Engaging the workforce is better than enraging the workforce
When you look at the data about insider threat cases, from malicious to unintentional, the question naturally arises: “Why are so many employees mishandling data?” It could be that many of them are just trying to get work done. How can IT and security have been set up to provide an environment in which employees can collaborate and work quickly and remotely? We need to shift the focus to using security tools that enable instead of block the collaboration culture. Monitor away! Visibility is the single most powerful capability in your security toolkit. But be sure you let employees produce value while you’re at it. The “human firewall” is one of your most effective security assets. Collaboration rather than conflict with the workforce is key to strong cybersecurity posture—especially as it relates to insider threat.
The conversation that pits corporate security against employee privacy is misleading and exacerbates the problem. The idea that these concepts are at odds with one another is antiquated. Corporate culture and technology are evolving in ways that allow security and privacy not only to coexist, but also to reinforce and support one another.