Striking the Right Balance Between Security and Functionality

Doing security well is hard work, but it should never block useful functionality for your customers. If security interferes with key software capabilities, the security must be tweaked. The answer should never be to abandon the functionality and certainly not to abandon the security. And yet two instances from this month suggest that is exactly what is happening.

Let's start with election fraud. As we've noted, the potential for election cyber attacks is real and dangerous. French election officials seem to agree—which is good. But their decision was to halt cyber-voting for overseas citizens, rather than try and fix the security—which is horrible.

If they had decided to abandon overseas electronic voting because of a lack of interest or that it was too expensive, it would be a very different situation. But they appear to be saying that their citizens want it. The security, however, seemed like a lot of work so they opted to surrender.

Had they said that they were temporarily suspending the program while security teams put in place protections that would have been good. Alas, that's not what appears to be happening.

A few days after Reuters noted the French election decision, I received a copy of an e-mail from an IT security official with a major company. The note was a follow-up to a series of notes to employees detailing problems with the web site. The site kept crashing.

Turns out, according to the memo, the problem was that the company's own security scans overtaxed the Web servers. In effect, the company Denial of Service attacked itself. That can happen.

The problem is what the company did next. It halted the security testing. The note did not say that it was suspending the testing temporarily while the software was tweaked. No, it just halted the security testing, which presumably was put in place to act as protection.

No one ever said that security is supposed to be especially easy, but it is essential. Entities that abandon customer-desired functionality to sidestep security threats—like France did—or abandon security defenses to enable better functionality—as did this major company—are equally wrong.

The reason corporate security is so challenging is that it is constantly in the middle of the battle between functionality and safety. It's easy to make a site or a building completely safe if you need not worry about people being able to use it. It's just as easy to make access and functionality super easy, if you're willing to have no meaningful security.

The corporate world we live in, though, requires both and therefore forces security and functionality to constantly battle. That's the way it should be.

Authentication has to put some level of burden on legitimate users to protect those same users. On the flip side, security must understand that the instant they start blocking functionality is when they have gone too far.

I did a story recently about GRC strategies and was struck by the wisdom of one former government CISO. He had tried preventing unauthorized downloads so that he could better secure his data assets. Users rebelled. "I started asking people ‘Why are you using a cloud provider?’ Their answer was that they just had to get their jobs done," the former CISO said. "Users are like water: They will find the fastest way around something if you’re in the way."

That's exactly right. But that absolutely does not mean that security has the right to give up, any more than business units have the right to surrender to security. Both must co-exist. If security and LOB managers find the tug-of-war distasteful, they probably have struck the right balance.