• Engaging with effective governance

      Giving South African municipalities access to the tools and technologies it needs to thrive, was the driving force behind BCX SOLAR. Giving South African municipalities access to the tools and technologies it needs to thrive, was the driving force behind BCX SOLAR.

      Mining Sector

      Increase productivity & build a culture of innovation

      Financial Sector

      Meet the challenges of disruption & cyber security

      Healthcare Sector

      Empower your patients & leverage data by deploying customised solutions

      Retail Sector

      Embrace the changing retail landscape & know your customer

      Government Sector

      Use digital transformation to grow the economy & build capacity

      Industries Overview >

    • Cloud
      Reimagine success

      Accelerate your business ambitions with cloud computing solutions from BCX.

      Digital Innovation Awards

      BCX Digital Innovation Awards

      Cloud

      Computing for today & the future

      Digital Transformation

      Intelligent systems upgrading

      Analytics

      Data that works for you

      Applications

      Tools to streamline operations

      Services

      Strategies for efficient ICT
      Healthcare Solutions

      Healthcare Solutions

      Applications for healthcare
      BCX ERP Solutions

      SOLAR ERP Solutions

      Connect, integrate, and optimise

      Security

      Protection for your critical systems

      Devices

      Processes & network foundations

      Connectivity

      Connections within & without

      Partners

      Partnerships moving business forward
      BCX HR and Payroll

      HR and Payroll Solutions

      Everything to manage people & payroll
      Software Testing-as-a-Service

      Software Testing-as-a-Service

      Your pathway to zero-defect software

      Solutions Overview >

    • Our Offices
      BCX Head Office
      1021 Lenchen Avenue North
      Centurion, Gauteng
      South Africa
      0157
      Botswana

      Botswana

      Mozambique

      Mozambique

      Namibia

      Namibia

      Zambia

      Zambia

      UK

      United Kingdom

      Our Global Footprint Overview >

    • Speak To An Expert
      We'll need just a few details from you, and one of our specialists will be in touch as soon as possible.
      BCX HEAD OFFICE

      Employee Entrance:

      1021 Lenchen Avenue North
      Centurion
      Gauteng
      South Africa
      0157

      Visitors Entrance:

      1266 South Road
      Centurion
      Gauteng
      South Africa
      0157
Security versus functionality avoiding end user revolt
Home > Security versus functionality: avoiding end user revolt

Security versus functionality: avoiding end user revolt

18 October, 2022
One of the biggest challenges facing any CISO today is a term we call end user revolt – when users circumvent all security measures and protocols in order to do their jobs.

One of the biggest challenges facing any CISO today is a term we call end user revolt – when users circumvent all security measures and protocols in order to do their jobs.

When the business puts mechanisms in place to secure its infrastructure but these hinder users from being productive, users will always find a way around them.

For example, if they are unable to copy a phone number from their email to WhatsApp for business purposes, they will simply forward the mail to their private email or a web application and copy it from there to get the job done. Typically, they are not doing this with malicious intent, but to make life easier.

Not delivering what users need, or actively hampering their ability to work, inevitably leads to workarounds and Shadow IT, which raises security, budgetary and compliance risks.

In the modern hybrid work environment with a proliferation of new SaaS and web applications available, it has become faster and easier than ever before for staff to find the tools and workarounds they want.

Shadow IT is thought to account for anywhere between 30% and 50% of IT spend at large enterprises today – and this proportion will grow unless IT is able to deliver what users need. While SaaS and web applications are inherently useful, a proliferation of unsanctioned SaaS and cloud tools in the environment means IT security will lose visibility of what data is being sent where, be unable to apply policies across the entire environment, and may even lose sight of what data exists within the organisation.

This can have serious implications for the business. Human error is one of the organisation’s biggest weak spots, so when users are taking charge of security themselves within a Shadow IT environment, nothing is safe. Mimecast’s State of Email Security 2022 report found that 83% of respondents believe their company is at risk due to data leaked by careless employees, and a past IBM Cyber Security Intelligence Index estimated that human error was the major contributing cause of up to 95% of all breaches. Statista states that 58% of global CISOs believe human error is their organisation’s biggest cyber vulnerability.

How do CISOs achieve a balance between security and functionality – enabling agility and productivity for the business, without the risk?

CISOs need to evolve their role and move past being a business disabler. Traditional, dictatorial approaches to security can be seen as hindrances to business because they prevent the business from being agile.

You see this clearly in the misalignment between security and networking teams: for example, networking is worried about speeds and feeds, while security’s only concern is security. Operational technology teams are worried about uptime, while security’s only worry is security. When goals are misaligned in this way, you start getting end user revolt.

CISOs can no longer afford to make autonomous decisions to implement security measures without considering how these will impact users. When security measures are implemented without consideration for how practical they are, users will simply spin up private cloud drives (like Dropbox), for example, and take other measures that enable them to work more efficiently.

When a business unit wants to spin up a new application or service in a hurry because they’re under pressure to meet revenue targets, they will bypass the CISO and security processes without considering the ramifications, because they are worried about revenue first and consequences later.

CISOs who actively engage with business understand the business’s strategy and identify ways for security to be an enabler, will put themselves in a position to overcome end user revolt. This next generation of CISOs, also sometimes described as a ‘Chief Information Security and Business Officer’, will be the person tasked with balancing security and productivity.

The way around user revolt is to be involved in the broader business and have users buy into the concept of keeping the business secure, knowing it won’t hinder their work. CISOs should consider implementing rules by department instead of having enterprise-wide policies: for example, allowing marketing teams to load data onto external drives because they need to share information with suppliers, while making it clear that security will monitor the nature of the data they are copying. And conversely, not allowing receptionists to copy data onto drives because there is no business reason for them to do so.

Security needs to be driven from the top down, with security-driven scorecards on the security impacts of any new project and security built into every procedure from the ground up.

In a world where time is money and no business can afford to lag behind the competition, CISOs have to work harder to make security an enabler, not a disabler.

Share

SPEAK TO AN EXPERT

 We'll just need a few details from you, and one of our specialists will be in touch.

Consent
Please read our Privacy Statement & Consent Clause to understand what happens to your personal information.

RELATED POSTS