Striking a balance between security and productivity — an impossible dream?

Security and personal productivity do not make comfortable bedfellows. To understand why goes to the roots of what business is all about.
Business can be measured in two ways: effectiveness and efficiency. Effectiveness refers to doing the right things, for example creating the right products and services, or closing the necessary number of sales.
Efficiency means doing things right, that is, achieving results without unnecessary overheads. In personal terms this equates to productivity — or, simply put, how much time is spent in a day achieving results, versus doing things with no apparent business value?
Security often appears the enemy of such personal productivity, creating what can seem to be unnecessary barriers to getting the job done. And sometimes, it looks like business effectiveness itself has been sacrificed on the altar of over-bearing security.
I remember one organization I worked for, back in the day, that banned the use of floppy disks for file transfers. The rationale made sense from a security perspective — such transfers were a major contributor to the transmission of computer viruses. But for an administrative department whose business relied on file transfers, it meant that productivity took a major hit.
Things are so much more complicated these days, of course. Via the Internet, every computer is connected to every other; we have phones that can store large enough volumes of data to run entire companies.
And meanwhile, in infrastructure terms we see fragmentation at all levels. While the buzzword might be convergence, in reality this has led to a nightmare of integration work. We have created for ourselves a leaky bucket.
The security risks of such a complex environment are genuine and need to be addressed. But does this mean that we are doomed to becoming increasingly unproductive? Or is there an alternative answer which enables both security and productivity to be achieved?
There is an answer, but not necessarily where people might first look. This is not about striking some kind of arbitrary balance between making things secure and allowing people to be productive.
Rather, this is about being clear on what you want to secure. Technology, in all its complex and far-reaching glory, is a distraction from the main event — the information that it creates, processes and communicates.
Information is an organization’s most important asset, it has been said. But not all information is created equal. Some is business critical; some incorporates intellectual property; some is subject to compliance criteria.
Understanding what information you need, and why it matters, does not have to be an onerous task. While organizations may struggle to get on top of all of their ‘information assets’ they can nonetheless identify a core of information that is of particular importance to the business.
Such understanding goes a long way to creating a suitable response, as it enables the right trade-offs to be made. A clear example is in healthcare, where patient information absolutely should be subject to far more stringent criteria than, say, the menu in the staff canteen.
In security architecture speak, this is called ‘separation of concerns’. In layman’s terms, this means providing access mechanisms, policies and roles appropriate to the information.
It may be, for example, that customer information can only be accessed on personal mobile devices via a locked-down app. Or that certain systems can only be accessed via a virtual private network (VPN), accessible only to certain people.
The bottom line is that we cannot expect everything to be accessible everywhere, nor that everything can be locked down to the same level of security. Taking such a stance can only end in failure.
By focusing on information first we can identify what cannot be compromised, before considering where compromises can be made. The old adage “balance in all things” should only be applied once the organization’s confidential assets have been understood.