One of the age-old battles in information security is balancing the trade-offs between usability vs. security. We recently had a conversation with a client where this was brought up as a concern for implementing security controls we were recommending. The client said, “sure I can lock down this website such that no IP can get to it and then it will be completely secure, but no one can use it.” Although he is bringing up an extreme example, he was voicing a very valid concern and something that everyone in security should be cognizant of. Security doesn’t mean anything if a company can’t run their day-to-day business operations. We need to balance usability vs security.
With that being said, it is the job of the director of IT or the CISO or whoever manages security implementations in your organization to manage risk while facilitating the business. At Triaxiom, we want to partner with our clients and we’re always here to help in every way we can. However, at the end of the day, we are hired as a security expert to identify and quantify the risk that vulnerabilities or a lack of security controls present to your organization. Our ultimate goal in any assessment we perform is to give you the information you need to make data-driven decisions as an objective third-party in order to keep your company secure. We aim to define and demonstrate the risk for you to do this.
A key thing to note, however, is that we don’t always have the full picture when performing an assessment. We probably won’t see the usability constraints you are operating under in your unique situation. If you are a 100% remote company with all of your employees accessing internal resources remotely, your usability constraints are going to be much different when compared to a company that has users come into an office every day. Because of this, some of the things we may recommend to improve your security posture may simply not make sense for your organization. But they are just that, a recommendation to improve your security or reduce your residual risk based on our expertise, industry best practices, and what we are seeing other clients in your industry do.
At the end of the day though, it is often our primary contact at an organization during an assessment that has a more complete picture. Through their time at the organization, the challenges in keeping an organization running will be more apparent. Our report is supposed to to provide a better understanding of the risks you face in order to continue making the right decisions regarding security. With both of those elements, we hope that you can effectively balance usability vs. security.
With that being said, of course we are always here to help and we’re more than happy to help adjust recommendations based on your unique scenario or constraints. Let’s talk it through and come up with a list of alternatives if a particular solution isn’t possible. We are 100% on board to help you improve your security and reduce your risk in any way that we can, and as there are no silver bullets in security, sometimes it just requires getting a little creative with the controls you’re implementing.