Federal IT Security Policies Must Be User Friendly
Federal agencies should choose security tools and policies that suit the productivity needs of their employees.
Preventing and containing data breaches has proven to be a difficult, ongoing undertaking -- not to mention a significant drain on agency resources. That is, as data security strategies evolve, so do the tactics of malicious fraudsters. Considering the public sector's strict IT budget, getting out ahead of security issues before they occur is no small task -- even for agencies where data security is their primary responsibility, as evidenced by Edward Snowden's stint with the NSA.
Unfortunately, the inability to jump ahead of the curve has forced the standard response of federal agencies to be just that, a response. Strategies aren't updated until it's proven that the current defense is no longer suitable, at which point IT stretches a thin budget to plug leaks and enforce a tightened security policy. But where has this been effective?
[Project Interoperability aims to develop and standardize formats for sharing security and threat information. See Feds To Improve Threat Information Sharing.]
Rather than engaging in the reactive, rinse-and-repeat process that inevitably occurs surrounding security breaches, agencies need to step back and delve into the issues beyond security policies. Policy is important, but it's only as good as the people and technology backing it.
Security misconception: take a proactive stance
Agencies know they need to take a proactive approach to cybersecurity, and often assume the best strategy is tightening internal policies, implementing new technology, and hiring additional security specialists (as is the case with the IRS). In actuality, this strategy can often backfire.
Strict policies and new technology might look good on paper, but they can ultimately hinder employee productivity by requiring additional steps to complete a task. This forces employees to choose between remaining within policy guidelines and approved technology or using faster, more familiar methods to handle sensitive information. Much to IT's dismay, most employees will sacrifice security and compliance for productivity.
Take, for instance, information sharing. Today's workforce expects instant access to information and the ability to send and receive data at the press of a button. When technology comes up short, or policy is limiting, employees are forced to find a workaround. We recently surveyed more than 500 professionals and found that more than 60% of employees use personal accounts to store and share confidential data -- a red flag for security and compliance. The main reason they do this, according to the survey, is that the consumer options are easier to use.
Find the right balance
Authentic security is a byproduct of successfully balancing people, process (policy), and technology. IT assumes responsibility to make all three work together.
People
No matter how well planned, a security initiative's success is dependent on those who choose to adhere to its principles. Unfortunately, employees are often more concerned with getting a job done than the mechanics behind it. The reality is that security regularly takes a backseat to productivity and efficiency. If federal agencies have any hope of managing and securing the sensitive data leaving their organizations, they need to provide solutions that easily integrate into the daily routines of their employees.
Process
Policy is an agency's roadmap and should provide a supportive framework for secure data handling. Unfortunately, this is where the breakdown often occurs between decision-makers and the workers who are tasked with following the policy. According to our survey, nearly 75% of employees believe that IT approves of their use of insecure, personal accounts. Even worse, when it comes to sharing sensitive data and files, there's a blatant lack of understanding among today's workers, not just about the details of their company's IT policies, but about whether their company has a policy at all:
Only 48% of employees said their companies have policies for sending sensitive files
30% said that their companies don't have policies in place
22% weren't sure whether a policy existed
Technology
Technology should empower federal employees to complete mission-critical tasks efficiently, without getting in the way of how they do their business, while meeting compliance and security requirements. If technology is put in that makes employees less efficient at performing their primary job duties, then they will simply go around it. It's IT's job to routinely evaluate technology and replace the tools that limit productivity. Employees will do everything necessary to remain productive. Implementing a technology that limits employee productivity encourages workarounds that put confidential data at risk.
The approach agencies take to manage security may differ greatly depending on their overarching goals. However, in order to promote secure policies, agencies need to find and implement employee-friendly, IT-empowering technology and policies -- not just something that looks good on paper.
Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.
About the Author
You May Also Like