Government // Cybersecurity
Commentary
4/16/2014
09:30 AM
James Bindseil
James Bindseil
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Federal IT Security Policies Must Be User Friendly

Federal agencies should choose security tools and policies that suit the productivity needs of their employees.

Preventing and containing data breaches has proven to be a difficult, ongoing undertaking -- not to mention a significant drain on agency resources. That is, as data security strategies evolve, so do the tactics of malicious fraudsters. Considering the public sector's strict IT budget, getting out ahead of security issues before they occur is no small task -- even for agencies where data security is their primary responsibility, as evidenced by Edward Snowden's stint with the NSA.

Unfortunately, the inability to jump ahead of the curve has forced the standard response of federal agencies to be just that, a response. Strategies aren't updated until it's proven that the current defense is no longer suitable, at which point IT stretches a thin budget to plug leaks and enforce a tightened security policy. But where has this been effective?

[Project Interoperability aims to develop and standardize formats for sharing security and threat information. See Feds To Improve Threat Information Sharing.]

Rather than engaging in the reactive, rinse-and-repeat process that inevitably occurs surrounding security breaches, agencies need to step back and delve into the issues beyond security policies. Policy is important, but it's only as good as the people and technology backing it.

Security misconception: take a proactive stance
Agencies know they need to take a proactive approach to cybersecurity, and often assume the best strategy is tightening internal policies, implementing new technology, and hiring additional security specialists (as is the case with the IRS). In actuality, this strategy can often backfire.

Strict policies and new technology might look good on paper, but they can ultimately hinder employee productivity by requiring additional steps to complete a task. This forces employees to choose between remaining within policy guidelines and approved technology or using faster, more familiar methods to handle sensitive information. Much to IT's dismay, most employees will sacrifice security and compliance for productivity.

(Image: Community Commons Christopher Bowns)
(Image: Community Commons Christopher Bowns)

Take, for instance, information sharing. Today's workforce expects instant access to information and the ability to send and receive data at the press of a button. When technology comes up short, or policy is limiting, employees are forced to find a workaround. We recently surveyed more than 500 professionals and found that more than 60% of employees use personal accounts to store and share confidential data -- a red flag for security and compliance. The main reason they do this, according to the survey, is that the consumer options are easier to use.

Find the right balance
Authentic security is a byproduct of successfully balancing people, process (policy), and technology. IT assumes responsibility to make all three work together.

People
No matter how well planned, a security initiative's success is dependent on those who choose to adhere to its principles. Unfortunately, employees are often more concerned with getting a job done than the mechanics behind it. The reality is that security regularly takes a backseat to productivity and efficiency. If federal agencies have any hope of managing and securing the sensitive data leaving their organizations, they need to provide solutions that easily integrate into the daily routines of their employees.

Process
Policy is an agency's roadmap and should provide a supportive framework for secure data handling. Unfortunately, this is where the breakdown often occurs between decision-makers and the workers who are tasked with following the policy. According to our survey, nearly 75% of employees believe that IT approves of their use of insecure, personal accounts. Even worse, when it comes to sharing sensitive data and files, there's a blatant lack of understanding among today's workers, not just about the details of their company's IT policies, but about whether their company has a policy at all:

  • Only 48% of employees said their companies have policies for sending sensitive files
  • 30% said that their companies don't have policies in place
  • 22% weren't sure whether a policy existed

Technology
Technology should empower federal employees to complete mission-critical tasks efficiently, without getting in the way of how they do their business, while meeting compliance and security requirements. If technology is put in that makes employees less efficient at performing their primary job duties, then they will simply go around it. It's IT's job to routinely evaluate technology and replace the tools that limit productivity. Employees will do everything necessary to remain productive. Implementing a technology that limits employee productivity encourages workarounds that put confidential data at risk.

The approach agencies take to manage security may differ greatly depending on their overarching goals. However, in order to promote secure policies, agencies need to find and implement employee-friendly, IT-empowering technology and policies -- not just something that looks good on paper.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

James Bindseil is President and Chief Executive Officer of Globalscape, a leading developer of secure information exchange solutions. He has more than 20 years of experience in the technology industry, including senior leadership roles at Fujitsu, Symantec, and Axent ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BobH088
50%
50%
BobH088,
User Rank: Apprentice
4/17/2014 | 11:24:59 AM
security solution
One of the most common causes of data getting in the wrong hands is the loss of mobile devices that often contain a frightening amount of private information. I want to share a protection option that worked for me. Tracer tags (mystufflostandfound.com) let someone who finds your lost stuff contact you directly without exposing your private information. I use them on almost everything I take when I travel like my phone, passport and luggage after one of the tags was responsible for getting my lost laptop returned to me in Rome one time.
JaCa
50%
50%
JaCa,
User Rank: Apprentice
4/16/2014 | 12:23:10 PM
Two common Web application attacks illustrate security concerns
Interesting article, Hackers frequently gain access to important data using flaws in IT security systems and injecting malwares into web applications. Organization should conduct regular security maintenance and testing that focuses first on the most common threats to its applications. I work for McGladrey and there is a whitepaper "Two common Web application attacks illustrate security concerns" it offers good information to readers. @ "Two common Web application attacks illustrate security concerns"   http://bit.ly/1c0f35M

 
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - September 10, 2014
A high-scale relational database? NoSQL database? Hadoop? Event-processing technology? When it comes to big data, one size doesn't fit all. Here's how to decide.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.