Security versus functionality: avoiding end user revolt

Issue 1 2023 Security Services & Risk Management

One of the biggest challenges facing any CISO today is a term we call end user revolt, when users circumvent all security measures and protocols in order to do their jobs.


Wayne Olsen.

When the business puts mechanisms in place to secure its infrastructure but these hinder users from being productive, users will always find a way around them. For example, if they are unable to copy a phone number from their email to WhatsApp for business purposes, they will simply forward the mail to their private email or a web application and copy it from there to get the job done. Typically, they are not doing this with malicious intent, but to make life easier.

Not delivering what users need, or actively hampering their ability to work, inevitably leads to workarounds and ‘shadow IT’, which raises security, budgetary and compliance risks. In the modern hybrid work environment, with a proliferation of new SaaS and web applications available, it has become faster and easier than ever before for staff to find the tools and workarounds they want.

Shadow IT is thought to account for anywhere between 30% and 50% of IT spend at large enterprises today, and this proportion will grow unless IT is able to deliver what users need. While SaaS and web applications are inherently useful, a proliferation of unsanctioned SaaS and cloud tools in the environment means IT security will lose visibility of what data is being sent, and where, be unable to apply policies across the entire environment, and may even lose sight of what data exists within the organisation.

This can have serious implications for the business. Human error is one of the organisation’s biggest weak spots, so when users are taking charge of security themselves, within a shadow IT environment, nothing is safe. Mimecast’s State of Email Security 2022 report found that 83% of respondents believe their company is at risk due to data leaked by careless employees, and a past IBM Cyber Security Intelligence Index estimated that human error was the major contributing cause, up to 95%, of all breaches. Statista states that 58% of global CISOs believe human error is their organisation’s biggest cyber vulnerability.

How do CISOs achieve a balance between security and functionality, enabling agility and productivity for the business, without the risk?

Becoming a business enabler

CISOs need to evolve their role and move past being a business disabler. Traditional, dictatorial approaches to security can be seen as a hindrance to business, because they prevent the business from being agile.

You see this clearly in the misalignment between security and networking teams: for example, networking is worried about speeds and feeds, while security’s only concern is security. Operational technology teams are worried about uptime, and security’s only worry is security. When goals are misaligned in this way, you start getting end user revolt.

CISOs can no longer afford to make autonomous decisions to implement security measures without considering how these will impact users. When security measures are implemented, without consideration for how practical they are, users will simply spin up private cloud drives (like Dropbox), and take other measures that enable them to work more efficiently.

When a business unit wants to spin up a new application or service in a hurry because they are under pressure to meet revenue targets, they will bypass the CISO and security processes without considering the ramifications, because they are worried about revenue first and consequences later.

CISOs, who actively engage with business understand the business’s strategy and identify ways for security to be an enabler, will put themselves in a position to overcome end user revolt. This next generation of CISOs, also sometimes described as a ‘Chief Information Security and Business Officer’, will be the person tasked with balancing security and productivity.

The way around user revolt is to be involved in the broader business and have users buy into the concept of keeping the business secure, knowing it will not hinder their work. CISOs should consider implementing rules by department instead of having enterprise-wide policies: for example, allowing marketing teams to load data onto external drives because they need to share information with suppliers, while making it clear that security will monitor the nature of the data they are copying. Conversely, not allowing receptionists to copy data onto drives because there is no business reason for them to do so.

Security needs to be driven from the top down, with security-driven scorecards on the security impacts of any new project, and security needs to be built into every procedure from the ground up.

In a world where time is money and no business can afford to lag behind the competition, CISOs have to work harder to make security an enabler, not a disabler.

For more information, contact BCX, Wayne Olsen, +27 11 266 1000, [email protected], www.bcx.co.za/solutions/security


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

SMARTpod talks to The Risk Management Forum
SMART Security Solutions Editor's Choice News & Events Security Services & Risk Management Videos Training & Education
SMART Security Solutions recently released its first SMARTpod podcast, discussing the upcoming Risk Management Forum Conference 2024, which will be held on 26 September 2024 at the Indaba Conference Centre in Fourways, Johannesburg.

Read more...
There is a SaaS for everything, but at what cost, especially to SMEs?
Editor's Choice Information Security Security Services & Risk Management
Relying on SaaS platforms presents significant cybersecurity risks as the number of providers in your landscape increases, expanding your attack surface. It is important to assess the strength of the SaaS providers in your chain.

Read more...
Unlocking new efficiencies in private security
Security Services & Risk Management Transport (Industry) Smart Home Automation Logistics (Industry)
Justin Manson, Sales Director at Webfleet, discusses how the urgent need to protect life, and to do so more efficiently, is driving continuous innovation in holistic home and residential security services in South Africa.

Read more...
Innovation and security go hand in hand
Technews Publishing Facilities & Building Management Security Services & Risk Management
In a world where the demand for tech innovation is matched only by the acceleration of cybersecurity threats, businesses face the challenge of balancing new product development and robust security measures.

Read more...
Bomb threat landscape in South Africa
Editor's Choice Security Services & Risk Management
Over the past 25 years, South Africa has faced thousands of bomb threats and explosive incidents annually, imposing a significant economic burden on the nation, costing billions of rand.

Read more...
Natural catastrophes and fire risks top concerns
Security Services & Risk Management Asset Management Residential Estate (Industry)
Natural disasters are the highest risk in the real estate industry, followed by fire and explosions, and then business interruption. Estates must prioritise risk management and take proactive measures to safeguard their assets, employees, and reputation.

Read more...
Building a solid foundation
Alwinco Security Services & Risk Management Asset Management Residential Estate (Industry)
Understanding the roles of a Risk Assessor and a Risk Manager is like building a solid and secure foundation in the security world. Andre Mundell makes it easy to understand.

Read more...
SA firms take nine months to detect data breaches
Information Security Security Services & Risk Management
A human being can be conceived and brought into the world at roughly the same time a South African small and medium-sized enterprise (SME) becomes aware of and reports a data breach.

Read more...
Be wary of these scams this tax season
News & Events Security Services & Risk Management
As we approach the end of August, millions of South Africans will log onto the SARS eFiling website or visit their closest branch to complete their tax returns, but scammers are also waiting to defraud with tax-related scams.

Read more...
Businesses battle for long-term sustainability
Security Services & Risk Management News & Events
KPMG International’s report reveals the three key risks to growth in 2024 and beyond: geopolitical uncertainty, trade restrictions, and divergence on AI. The energy and natural resources sector is the ‘most exposed’ industry group in 2024.

Read more...