Tell me something I don't know -
End User's Don't Get Security.
An interesting study, and I agree for the most part. In fact I see this everyday. Actually, employees not getting security keeps me in a job. However, is it really the employees fault? I have seen firsthand the severe disconnect that exists between security and management. As much as everyone wants to point their fingers at the "bozo" employee (I've heard an IT director call his users that, and let's just say that considering some of his security practices I'm not sure who should have been wearing the red nose...another story for another time) one has to be willing to point the finger squarely at management. I'm not just talking about spending money on security, lots of organizations are doing that, but its the failure to embrace security at a operations level, the failure to have processes in place to deal with exceptions that is causing many employees to ignore security.
Case in point:
A good friend of mine works as a Music Therapist at a hospital here. She works hard and is responsible for seeing patients just as any social worker, nurse, or doctor. However, her position is unique to the hospital. She needs access to music sites, she gets grants to purchase music, she has a legitimate reason to look at sites that the hospital has deemed inappropriate for other employees. She also uses a CD burner on a regular basis, typically a "controlled" device at the hospital.
Many would consider that lack of access a good thing, but here's the caveat - there is no process in place for her to go get this modified. She has had to jump through hoops, make continued calls to help desk, and still has impediments to getting her job done on a daily basis. The solution for her is to have me download music, files, etc. and put them on a zip drive (which aren't locked down, but which is another potential security risk).
The point is this - in her environment, security is an impediment to her job. She is encouraged to go around the security in the environment, not for some self serving purpose, but in order to get her job done. She is expected to do her job just like any other professional, she has a boss, and she doesn't have hours a day to waste waiting on the help desk (she deals with some very ill patients).
Security vendors have focused on very effective technologies. There is still a great deal of FUD used to sell products, whether its about hackers or regulators, and unfortunately the end user suffer. When people cannot get their job done because of security, that is a problem. It leads to lower productivity and lower moral.
I don't have the answer. Its a combination of vendor products' design and corporate policy. However, I will say that at the end of the day I don't blame the employee for "not getting security" when they are trying to do jobs with the added frustration of security and time that of course is unaccounted for.
I am very passionate about this topic, you will hear more from me on it.
skip to main |
skip to sidebar
This is my blog where I post my thoughts and opinions on topics ranging from funny comics to academia, IT and IT Security. I am an technology analyst and I teach, so most of the postings will be related to those topics.
Blog Archive
Links
About Me
No comments:
Post a Comment