Security vs performance
Imposing security from above can make IT the 'Department of No', writes John Leonard, meaning it's important to strike the right balance
We are often told by IT professionals in the course of our research that security is of overriding concern when it comes to implementing new programmes such as cloud or enterprise mobility. However, outside of the IT and finance departments, concern about security is often spread pretty thin.
Because of this the IT department can make itself very unpopular when it insists on solutions and procedures that slow things down or impede people as they go about their daily jobs.
Frequently, employees lacking detailed knowledge of the nature of cyber threats will see this as yet more control-freakery by a pettifogging IT department that is obsessed with rules and box-ticking bureaucracy: the "Department of No".
So while the IT department might see security as being of overriding importance, it may find its own authority overridden from above, or undermined by those taking matters into their own hands.
"Since the risks are not clear to the business, senior management would prefer more priority be given to performance than security," said a senior IT manager in business services, commenting during a focus group which was part of a programme of research that supported Computing's recent Enterprise Security and Risk Management Summit.
Nearly half of the participants in a quantitative survey of IT professionals said security solutions and protocols can sometimes slow down network traffic and application performance, or impede employees in their day-to-day work, with people and applications bearing the brunt in roughly equal measure (figure 1).
An example of the former might be insisting on password protection for different systems, with multiple, hard-to-remember or frequently changing passwords leading to a constant stream of helpdesk calls. On the systems side it might be performance overheads associated with encryption and malware scans, or the blocking of services considered to be a risk.
"The time it takes to log on, the fact that you're encrypting hard drives, that is going to slow you down… All the concerns our users have are down to processes and the technology in place slowing them down…" said the head of corporate systems at a charity.
Deployment of new equipment is also hindered by the need to configure security elements, which slows down the rollout of service requests.
Balancing act
In attempting to balance the occasionally conflicting demands of security and performance, the survey respondents were - unsurprisingly, given that they work in IT - more likely to sit at the security end of spectrum, with more than a third saying that under no circumstances would they weaken security to enhance performance (figure 2).
However, at the other extreme 14 per cent said they would prioritise performance over security in most cases, while another 19 per cent said they would switch off functionality in a security product if it were found to slow down applications or network traffic.
This is not as reckless as it might sound because security is a multi-layered affair, as an operational IT risk officer in banking explained.
"If there are any performance issues in terms of responsiveness, we switch security off because the traders [won't tolerate it]. We have several layers and we don't always need all of them, so we might switch off a layer but we still have five or six in place while we figure out what the issue is…"
Perhaps the most enlightened approach is represented by the 20 per cent who said their most important data is under a high-security regime but for the rest performance is more important. This implies a risk-based strategy, tailoring security levels flexibly to match the type of data or the consequences of its loss. This approach best fits the distributed nature of data and infrastructure in most organisations.
"There are key areas of our business which drive client satisfaction and continued growth - for these, performance must come first. But we also hold personal details on people and we prioritise secure access to these over fast access to them," said an IT manager of a charity.
"A level of security is critical for the risk management of the organisation, while performance is critical for people to get their jobs done well," added the CIO of a technology firm.
If people perceive the barriers to be unnecessarily onerous, they will find a way around them. This is particularly the case now that an enormous number of free cloud services can replace many aspects of enterprise IT - employees will not put up with poor performance for long. A combination of ignorance of the risks and the easy availability of alternatives means security solutions that have a noticeable impact on performance are likely to be counterproductive, leading to a shadow IT environment that might be much more risky.
Keeping out of the shadows
"What's unrecognised is that invisible cost of security; how much have we cost the business to put in these hurdles and sometimes it outweighs the efficiencies, also the unsupported processes that people use to avoid our security controls. There's a cost there and that's often overlooked," said a director of global threat management in media.
A case in point was given by a network manager in a local authority.
"There was one instance a few years ago where they started encrypting memory sticks so you couldn't use your own memory sticks. We said ‘well if you do that, you know what's going to happen next: they're going to go straight to cloud computing' and that's exactly what happened…"
The very act of imposing security from above can lead to poor levels of understanding of the issues, particularly by those who don't see their role as being a particular risk. Moreover, as organisations become increasingly distributed, this approach becomes harder to manage.
Ultimately, all employees, suppliers, devices and applications are a potential backdoor, providing an entry point for an attacker.
Respondents said that a consultative approach was essential, to educate users and also to discover where security procedures are counterproductive.
"It's finding the balance of business needs against business risk and meeting it in the middle," said a CISO in retail.
"If the performance is critical to the business and security is slowing you down, it can have a massive impact on the business. It's communicating, listening and monitoring as well. If it's slowing the process, then you need to be more flexible. Gone are the days when security says ‘this is how it should be', it needs to evolve."