Arsgera - Fotolia
Wouldn't it be more efficient to leave doors unlocked -- or even open -- all the time? Think of the time saved not having to look for or use your keys every day. The answer seems quite obvious: We use locks to keep unwanted people out and keep our valuables in.
The same concept applies to IT security measures. Like locks and other safeguards, IT controls often slow down processes. For example, the super-user IT control is about ensuring that IT developers and support analysts do not have access to production systems. All changes must be made on a development environment, then tested and approved on a separate environment and finally promoted to production by someone other than the developer.
If you ever played an IT support role, you know that there's nothing faster than accessing production directly to troubleshoot and fix an issue. However, there are plenty of examples of super-users maliciously or accidentally making system changes that led to financial losses or downtime. Avoiding this is worth more to companies than improving time-to-repair.
Does this make sense in every case? Sometimes the cost of securing data, set against productivity loss, may be higher than the cost of the valuables behind the door. As a result, an open-door policy may, in some cases, be the best course of action. The company I work for, for example, has 400 service trucks. Our policy is to leave the trucks unlocked at night, because the cost of repairing a broken window -- and lost productivity of a driver who has to wait for the repair the next day -- is higher than whatever thieves might want to take from inside the truck. In fact, because the door is left open, it may prompt thieves to believe there are no valuables inside.
The costs of IT security measures
Open-door policies apply to IT controls as well. Consider IT asset management, an important IT security measure. Laptops have become less expensive over the years, to the point that they may not be worth the cost of tracking them. The real valuables are the software and intellectual property stored on those laptops. If these can be secured, perhaps it makes sense not to track laptops at all, acknowledging that some might be lost or stolen, but their replacement cost will be less than managing some administration-intensive asset tracking system.
On the other end of the scale, every effort should be made to protect corporate data, whose value is often underrated. The Ponemon Institute, a Michigan research firm, recently conducted a study of 350 companies in 11 countries and concluded that the average cost of a data breach is $3.8 million. This gives a perspective on how much companies can responsibly invest to protect their data.
Consider Court Ventures, which manages credit records in the U.S. In 2007, a Vietnamese national posing as a Singaporean investigator was granted an account to gain access to the company's database. Once in, he accessed the personal information of a large number of U.S. residents, including credit card and Social Security numbers. He sold access to that data online in packages to over 1,300 "customers," who were allowed by him to perform more than three million queries to Court Venture's databases. He made more than $2 million, and his customers are known to have claimed at least $65 million in fraudulent income tax returns. The most surprising fact is that this fraudulent access went on for six years before it was identified. Effective IT logical access controls could have caught this early on, but it might have made Court Ventures less efficient or less profitable, certainly a low price to pay compared to the financial losses resulting from the data breach.
One final example is software licensing compliance. A new hire often receives a laptop loaded with required software and access to corporate systems necessary to perform job duties. Good IT security measures would ensure software is never installed without a license, but the lead-time in acquiring this might cause loss of productivity, particularly when the request comes "last minute" (often the case, unfortunately). Some companies, like Microsoft for example, understand this and offer flexible enough programs to accommodate this licensing fluctuation, but that's not always the case. Companies that don't manage this carefully might end up facing legal action as a result, and the potential penalties and costs are likely to be much higher than the productivity loss of following the IT controls initially.
In sum, IT security measures can indeed hinder efficiency. They add extra steps to processes like approvals and verifications, they restrict access to people that need it to do their job more efficiently and they require investment and ongoing administration. But this is all perfectly justified when compared with the potential losses that can be prevented by these controls.
So, next time you're being held up by an apparently unproductive IT procedure, look at it as if it were the locked door to your house: It may not be efficient, but it's there to protect your valuables.
Internet of Things (IoT) market still fragmented
What to expect from Salesforce's IoT Cloud
Not keeping a promise can destroy a brand
Are security concerns holding mobile payments back?