IT Security Is a Partnership
The majority of employees do not want to give away critical business data; they are not purposefully holding open the door for criminals to walk in and snoop into business systems. Doing their job efficiently is usually the main goal. But when IT security is a vague company initiative and seen as an impediment to getting the job done, some best practices may be ignored. If employees' relationship with IT security is an "us versus them" mentality rather than a partnership, taking a shortcut looks like a good idea.
Eileen Yu reports on ZDNet.com that, based on survey results from Fortinet, "Generation Y employees will circumvent corporate policies governing the use of personal devices at work." As employees, they are more likely to adopt technologies best suited for getting work done but will ignore security policies if they are seen as an impediment to work. Security risk is not unknown to them: The majority of those surveyed have experienced security breaches on personal devices that compromised personal and/or business information.
This consumer-minded risk tolerance is common among tech-savvy employees. Security is not viewed as a partnership, but as a dictate to follow only when it suits the situation.
Adrian Lane reports on DarkReading.com of a similar experience in which database administrators were evading security requests to implement audit trails, admin segregation and encryption. Similar to the Generation Y employees polled in the Fortinet survey, they are focused only on getting the job done, and these security measures are considered extra responsibility with limited merit. As highly skilled practitioners, they know their systems and do not want any additional workload without a clear benefit.
In It Together
The National Cyber Security Alliance (NCSA) promotes October as National Cyber Security Awareness Month, and this year's theme is "Our Shared Responsibility." The NCSA provides guidance for individuals, schools and businesses on security basics to support the sharing of responsibility when it comes to cybersafety.
IT security is not about walls and restrictions; it is about awareness of threats and consequences. Individuals cannot hand off responsibility for security to others; comprehensive security policies require participation from all parties involved. For businesses, this can require a cultural shift away from the "us versus them" mentality, especially when some business units have "security" in their title.
Security leaders in small and midsize organizations have a better chance at building this team mentality. As leaders in smaller organizations, they have the unique opportunity to personally connect with employees and create a culture of security awareness. Guiding IT security training programs to focus on employees' individual contributions to security and their personal impact on security breaches reinforces the partnership aspect.
Small and midsize IT professionals can change the perception of IT security from one of a technical and policy-driven initiative to that of a business culture where responsibilities and impacts are interwoven. A business functions more efficiently when leaders and employees share the same vision, and cybersecurity is a vital piece of that vision.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.