If there is one thing that executives and managers never want to disrupt it would be productivity. As most managers know, productivity is the ability to make use of resources while producing profitable goods and services. Put another way that means, are you producing enough profitable outputs given your resource inputs? The measure of productivity is the assessment of a company's performance and can be used to gauge how efficient the business is. When productivity is high so too is profitability. The importance of productivity is that it is an active means of gauging the effectiveness of an organization’s operations to produce profits. Profits are the end result of productivity. It comes as no surprise that managers at all levels of the organization do not want to decrease productivity. One problem that often develops as a result of the pressure to increase productivity is forsaking security for perceived efficiency gains. Managers often view security as an obstacle to increasing productivity. The perception seems to be that increasing security measures will get in the way of people’s ability to get their job done. While it is fairly easy to see how they came to that conclusion, it is simply not true. The reality is much better actually, companies can integrate security into their business process improvement frameworks. Allowing managers to not just eliminate waste but to enhance security as well.
Where the Does Pressure for Productivity Come From?
The drive for perpetually increasing productivity comes from the sources of profits for companies, costs reductions and revenues. When a company reduces their wasteful costs they are able to increase saving which in turn increases their profits. Additionally reducing waste can lead to a more streamlined production process and optimized operations. This can yield either a higher quantity of product or a better quality of product/service. The role of managers is to boost productivity in order to increase profitability. This is the expectation of shareholders and the Board of Directors. Outside of the organization you have competition who are constantly seeking to deliver similar value but better and faster. Not to mention technological advances that are creating new business models that can render a production process obsolete. The pressure a manager faces is enormous. In recent years their troubles have only intensified as information technology has redefined what security means for many businesses. While increasing productivity is a reasonable goal, sacrificing security is just reckless. If an organization suffers from a data breach then all their efforts into boosting productivity are rendered obsolete. Now there is a public backlash, lost sales, reduced brand equity, lawsuits, and overall decreases in profitability. Managers place their organizations under a ton of risk by ignoring cyber security.
Common Business Process Improvement Frameworks
When trying to improve productivity managers often turn to business process improvement frameworks such as Lean, Six Sigma, Kaizen, or Process Reengineering. These frameworks often have the goal of waste elimination and utilizing labor and assets in the most efficient ways possible. For example with the Lean process improvement framework managers are supposed to follow the following five principles: (1) determine perceived value of output, (2) identify the value stream, (3) reduce large batch processing, (4) develop demand-pull activation, and (5) continuous improvement. Six Sigma is focused on quality improvement and sets a goal to reduce errors down to nearly zero. Kaizen is a more incremental approach until efficiency goals are achieved. Kaizen works best with repetitive tasks. Process reengineering is a general approach that seeks to redevelop end to end processes to become more efficient. The goal is to eliminate unnecessary steps, reduce hands-off, reduce errors, and boost cycle times. In each one of these process frameworks, take notice of something. Security is not mentioned or highlighted anywhere. Instead it would be up to the manager to understand the need for cyber security and develop an innovative way to integrate it. This is a problem because these are just a sample of the popular approaches that managers use to make their operations more productive and efficient. Thankfully in the development of a process or operation there is a security design philosophy that blends well with these frameworks.
Integrating Security-by-Design Principles
Security by Design is a set of principles that works with the design of a product or process to secure the data as a core part of the development, rather than being a retroactive feature. In the context of security, a quality process will be as secure as possible from the start. Data security’s core principles are confidentiality, integrity, and availability. The security-by-design framework was built on these three pillars. The security by design principles include the following:
Principle of Least Privilege
Ensure that access to information is limited and only done on a need-to-know basis. Users need to operate on a minimal amount of privileges. This principle should apply without discrimination regardless of title. Meaning the CMO should only access what they need to access and nothing more, no different than the new hire in Payroll.
Fail Safely
You should design sub-processes to ensure that even in a failed state, the main system remains unexposed to threat. This can be considered part of developing a continuity plan. The goal is to ensure that your organization can still operate with each process well, even if your technology is offline. Fedex had to do this during the NotPetya outbreak where their IT systems failed globally, but they were able to continue operation.
Simplicity
Security is about control and protection, which becomes harder the more complex a system is. Ensure that information systems provide only exactly what is needed in a way that allows for productivity to proceed without bottlenecks. The more complex a system (features, plugins, integrations etc.) is the more exposed it becomes to threat and bypass. The more simple a system, the easier oversight and control of it becomes.
Don't Accept Obscurity
Systems dependent on secrecy often will be exposed or rendered obsolete. Do not aim to be secure by secrecy. Division of data on servers, will help better than keeping secret files which are likely to get exposed during a cyber attack.
Psychological Acceptability
Security needs to be integrated with an operations process and not a hindrance to the continuation of work. For this reason ensure that your security system is user-centric in the sense that it takes into account what their job is and what too much added work will do to their motivation to participate. If this critical people component is not taken into account the exposure to insider threat rises for your organization from negligence and frustration. This is at the heart of maintaining productivity.
Layering Defenses
Do not rely on just one mode of defense and any mode is subject to bypass. Security in people’s behaviours are just as important as the supporting technology, it is the first line of defense. You should embed at least two mitigation strategies in the event of a breach to ensure that information data is not accessed by outsiders. Most of these will be passive and unnoticeable to users on the network.
Where to Integrate Them Into The Frameworks
For each security by design principle you should seek to include them in each phase if possible. The principles really do blend well with the process redesign frameworks, you do not have to apply each and every single principle at the same time, but do try to apply as many as you can into your process redesign. The most important when it comes to productivity is to ensure the process is psychologically acceptable. It is also important to realize that you need to design a secure process first and then consider what technology will be applicable later. Technology needs to be implemented only after root causes are identified. If you implement technology on top of an as-is process, you will only add more complexity and reduce productivity. At its heart process design is the effort of creating repetition. So design the process first, ensure that it is both secure and efficient. Then integrate new technologies.
About the Author: Isaac Kohen is the founder and CEO of Teramind, an employee monitoring and insider threat prevention platform that detects, records, and prevents, malicious user behavior. Isaac can be reached at [email protected]. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc