Pointing to culture as being the “problem” is a cop-out and shows a lack of tenacity and fortitude. If security is to be put in place, then the culture must come along and accept that, if it wants to survive in today’s threat environment, a degree of discomfort is tolerable.
Leadership needs to make sure everyone knows that:
- They will be watching the network.
- All users will be monitored, all the time.
- Users will have to authenticate to every asset.
- It’s not their data; it’s the company’s, so the company controls it.
- Security isn’t optional.
Users need to learn to deal with security — it’s a way of life now (or at least, it should be). If that’s not going to work for some folks, then tell them to go somewhere else and be their security problem — or make the choice to allow them to hinder security and be ready to be part of a breach. Tell the board or shareholders that, thanks to the groans of a few individuals, you have chosen to allow “culture” to threaten the bottom line of the company.
In today’s world, it is no longer acceptable to allow a few individuals’ fears and unfounded concerns about monitoring and security operations to impede a secure digital future for the majority.
(Via Latest Topic for ZDNet in security)
I got out of the habit of posting about these types of #content but this one I think strikes most of the right notes.
IMHO there is too much hand wringing and pandering to millennials — more specifically to the idea of what it means to be a millennial — in order to hire and keep them as workforce. To that end I like four of the five points above.
It’s that middle one about users having to authenticate to every asset that can be problematic. That’s the one where potentially security introduces friction into the business. Depending on how zero trust is implemented, security could introduce a significant amount of friction into business processes.
Friction costs money. Security breaches do, too, but there needs to be a serious objective calculus done in the organization to make sure the balance is properly struck. Also, regardless of generation, if security adds in layers of frustration that can have a tremendous impact on morale.
The success of zero trust is on the security team(s), IT, and Risk Management working together to provide value to the business. Respond on social media with your thoughts.