Striking a Balance Between Security and Flexibility is Crucial

Over the last twenty or so years I’ve been a part of a lot of different environments. Companies as small as three people, to one of the world’s largest and most complex enterprises – all unique in their own way. The way they each handled security was fairly unique as well. Beyond the obvious "Did they take it seriously?" question, was the all important question of how they achieved balance. The type of balance I'm referring to was between flexibility and security. Organizations that figure out the balance flourished, while those who failed struggled.

For the record, I do not believe you can't have both flexibility and security. I do believe, however, that you must compromise. Absolute flexibility, or absolute security, while they may appear appealing are ultimately bad. When you think about it, completely secure environments are often unusable. A similar thing can be said about complete flexibility. Those types of environments are virtually impossible to secure.

So we look for a balance. But that balance often proves to be elusive. Some companies require highly secure environments. Others require high degrees of flexibility to support the workforce. Providing one while maintaining a reasonable level of the other is no small feat. Security professionals work hard to find that balance. But the secret to this balance is the word reasonable. Often we as security professionals aren't reasonable. Our colleagues on the business side of the table aren't immune to this either. So again, we seek balance.

As a security professional you should remember three key things to guide you:

1. You support the business mission

2. Productivity often trumps any and all security requirements if forgotten

3. Security is never an absolute

That said, let me lay out some useful strategies for striking a flexibility - security balance.

First, understand your organization's appetite for risk. I know risk is a massively over-used word in security. I also know many security professionals use it incorrectly. The point is that you must understand where the limits are. I don't believe there is a magic formula or template for this activity. You simply have to figure it out. Talking to your enterprise risk team generally helps. The point is don't decide this on your own.

Second, understand how your business or organization operates. What are the driving processes? What level of autonomy are employees given? What are the regulatory pressures and responsibilities? These are key inputs into your balancing strategy. 

Finally, understand your own resources and capabilities. How much control a security team can exert over an organization is directly proportional to it's ability to execute. Even a small team with good operational processes can handle the workload that tight control requires. However, take operational capability away and control is at best an illusion.

Bottom line, if you're not careful, security becomes a hinderance and a target. Where security leaders create inflexible environments, security tends to struggle. High levels of flexibility, supported by good operational processes, can drive good security. It's all a matter of how you define your strategy.

As an example, let's take something we're very familiar with. Security organizations have historically added a significant amount of lead time to projects. What I mean is that when a project called for compute resources, security teams typically were a big part of the timeline. It was, and in some cases still is, common for security take up to 20% of the project timeline to "add security". That is simply unacceptable. Where security was inflexible developers and project owners turned to a predictable outcome. Development teams turned to the cloud to bypass security.

So the lesson here is that security teams must focus on flexibility. Where flexibility fails, security often follows suit. Striking a balance between security and flexibility is crucial.