CIO
Presented by

Getting out of the way: Employee-friendly security
If security controls are too strict, employees will find other ways to get their work done. What tools and strategies can reel in shadow IT while keeping workers productive?
By Joan Goodchild
Nov 5, 2021
Business leaders do not want to have to choose between security and productivity. But in the constant push-pull between risk mitigation and employee experience, striking the right balance remains difficult. Some of the tension lies with the very technology that companies rely on to keep users safe. These solutions, while designed for optimal security, can be cumbersome and make it harder for people to complete their daily tasks. Presented with overly restrictive security protocols, many workers will often resort to workarounds, which in turn contributes to “shadow IT” as they download unauthorized apps to get their work done. For security teams, workarounds and shadow IT increase the potential for a breach or attack.

“Don’t think you’re being clever by aggressively blocking things,” says Jason Ruger, Lenovo’s Chief Information Security Officer. “It’s better to know what employees are using so you can communicate with them about the risks.”

Ruger, a veteran security leader, says employees don’t willingly put security at risk when they engage in this kind of behavior. But if they need to reauthenticate three times a day to access a simple document like a budget, they are likely to look for a workaround to access the file more easily. In other words, they’re just trying to do their jobs, and don’t necessarily understand the ramifications of taking shortcuts or ignoring company policy.

“To the extent you add more hurdles, people will find ways around it,” says Ruger.

The takeaway: Organizations need better strategies and solutions to lock down data without slowing down their people. With budgets tight and executives expecting IT solutions to demonstrate ROI, the answer may lie in thinking differently about security tools.

“IT has always been seen as a cost center,” says Ruger. “There is pressure to use solutions that are less expensive. Classically in IT, we build solutions that are three clicks instead of one. As IT leaders, we need to shift the model.”

While enterprise-grade solutions were once seen as the gold standard for security, Ruger says that narrative is changing. Enterprise security leaders have increasingly grown to understand that consumer-grade technology is not only less complicated and more comfortable for users, but follows a model of regular upgrades and patches to keep apps secure. In many cases, these tools are as or more secure than enterprise solutions.

But the switch to enabling users to employ more consumer-level tools may not be easy for large companies with legacy systems (and legacy attitudes toward consumer tech). In instances where allowing and securing certain consumer applications may not be feasible, Ruger suggests finding ways to enable employees to use what they want to use locally, and within reason.

“Can we create solutions that are easy enough to share within their region without making it so restrictive?” he asks. “If not, employees will use it anyway.”

Security is a team sport

In designing user-friendly security, it is essential to involve stakeholders across the business. This helps to ensure that security and risk mitigation are considered at all levels and in all types of user experiences. Nima Baiati, Lenovo’s GM of Commercial Cybersecurity Solutions, suggests one way to get the conversation going is to share real examples of incidents in other corporations. The high-profile Target breach, even though it happened in 2013, remains a stark reminder of the impact of cybersecurity attacks.

“You can take examples like Target and remind business leaders of the risks by saying, ‘this is what can happen to us,’” says Baiati.

Security teams can also look to evolving technologies such as artificial intelligence and advanced encryption to reduce the friction between security and productivity. Baiati says new methods of authentication can also help to reduce the tension between employee productivity and secure design. Solutions that offer access through passwordless authentication, and that leverage FIDO and FIDO2 technology, will be critical to recasting the way employees access information in the coming years.

“[Passwordless methods] improve the user experience,” says Baiati. “I don’t have to remember a password or continually go in and change that password. Solutions like that can also help an organization reduce cost.”

Passwordless solutions can also reduce IT costs by reducing the number of help desk requests for password resets. Those savings can be clearly mapped to ROI, he says.

“Tying a solution to a business outcome is very effective,” he notes.

Awareness training reinforces the message

Eliminating friction between the employee and the tools they need to do their work is one way to enhance defense, but teaching them about the threats to watch out for is another layer of protection. Awareness training has become table stakes in any security program.

The most effective programs, Ruger says, tie security outcomes back to the employee’s own personal interests and situation.

“We always try to make it personal,” says Ruger. “How would this impact your personal finances or your significant other’s finances?”

This personal touch also ties back to Ruger’s earlier example around understanding what shadow devices or applications employees are using and having a conversation about why they feel the need to use it. What are they trying to accomplish that requires a workaround or a shadow IT device? That discussion goes both ways, because employees can also learn more about how their behavior puts company data at risk.

“If employees are using solutions that aren’t as secure as you like, it’s better to know that so you can communicate with them using a carrot rather than a stick,” he says.

All Episodes (8)

Cybersecurity: Trust no one

Cybersecurity: Trust no one
Andy Ellis, Advisory CISO, Orca Security
Tim Brown, CISO, SolarWinds

Ransomware, a love story

Ransomware, a love story
Rahul Telang, Trustees Professor of Information Systems
Renee Guttmann, Global CISO and Risk Executive, Board Advisor

AI: Reality check

AI: Reality check
Olaf Groth, PhD, CEO Cambrian.ai, Prof. HULT IBS & US Berkeley, Author The AI Generation
Sanjay Srivastava, Chief Digital Officer, Genpact

AI: Automation nation

AI: Automation nation
Anima Anandkumar, Director of Machine Learning Research, NVIDIA
Brian Solis, Global Innovation Evangelist, Salesforce and Author

Flexible workforce: Hybrid vigor

Flexible workforce: Hybrid vigor
Kamila Sip, Neuroscience and Behavior Change Expert
Jon Levy, Behavioral Scientist, NYT Best-Selling Author

IT-as-a-service: A renter’s market

IT-as-a-service: A renter’s market
Tien Tzuo, Founder and CEO, Zuora
Matt Kimball, Principal Analyst, Moor Insights & Strategy

Edge computing: Distribute or die

Edge computing: Distribute or die
Stephanie Atkinson, Executive Thought Leader and Influencer
Satya Jayadev, VP and CIO, Skyworks

Green IT: The color of money

Green IT: The color of money
Rob Enderle, President and Principal Analyst, Enderle Group
Pamela Rucker, President, The Rucker Group, Instructor, Harvard Professional Development Programs