Consider risks, business impact when making tradeoffs between security and productivity

Reported findings from a recently released survey of federal government executives on Cybersecurity in the Federal Government suggest that the increased emphasis on information security and corresponding protective measures put in place by government agencies are negatively impacting productivity among those surveyed, particular with respect to access to information, computing functionality, and mobility. The survey, conducted in May 2010 via email by the Government Business Council in conjunction with Citrix and Intel, included 162 respondents selected from among subscribers to Government Executive. The focus of the survey was specifically to address issues of access, functionality, and mobility and the executives’ perceptions of the role of security as a help or hindrance to performing job-related functions.

It should be noted that the survey did not seek to evaluate the relative effectiveness of information security programs or cybersecurity initiatives in achieving any of their intended objectives, such as making government systems and information more secure, but instead only looked at the impact security measures have on routine business operations. Media reports of the survey results, such as a summary of responses to four questions printed in the October 25 issue of Federal Computer Week, seem to emphasize the negative impact many government executives reported due to security measures, but without any indication of whether such measures are succeeding according to any other metrics, it’s hard to identify a clear set of implications from the survey. The only substantive recommendation proposed in the survey report is to include additional considerations as factors that help determine security policy, with the largest proportion of respondents putting “agency’s mission” at the top of their list of priorities. This implies that many government executives believe that less restrictive security measures should be used where security inhibits productivity-enhancing behaviors, such as accessing data from home or other non-agency locations.

The tension between business objectives and security is not new, and CIOs, CISOs, and other information security program managers are continually challenged with arriving at the right balancing point between protection and productivity — too little security is likely to result in more frequent and more significant security incidents, while too much security pits workers against security officers and threatens to brand the security team as a barrier to business. Even with additional oversight and attention from the administration on security, agencies are still expected to apply risk-based management principles to their decisions about what security measures to implement. If risk-based decision makers only consider the potential impact due to security breaches and the proposed security controls’ ability to reduce those risks, they’re not looking at risk from an enterprise level. Any calculation of the anticipated reduction in the risk of bad things happening due to the implementation of security controls should take into account the loss in business productivity or efficiency as part of the cost of security. The over-simplified basis of security management is, don’t spend more protecting an asset than the loss or damage to the asset is worth to you. Reductions in productivity due to security-imposed obstacles to standard business practices should be explicitly included in the cost vs. benefit equation. In some cases it seems quite likely that mitigating the risk outweighs the loss of productivity, and where true that business determination should not be lost on executives. An interesting question not asked on the survey would be how much insecurity (i.e., greater risk of breaches, outages, or other incidents) government executives would be willing to trade for uninhibited access to information.