The notion of prioritizing cybersecurity can be misconstrued as a hindrance to convenience and productivity – a ‘balancing act’. Security incidents over the past few years have brought this issue to the forefront, highlighting the need for a reevaluation.
While the conflict between security and productivity surely exists in forms such as multi-factor authentication, there are plenty of shining examples of how security measures and productivity go hand in hand. For example, Single Sign-On (SSO), streamlines access without compromising security.
While there are absolutely more key examples already being implemented, the need for quick decisions lead to implementing security meaning “locking down” an environment. Security teams using traditional security systems implement “controls” to prevent risk, and this often means deciding whether to block or allow an event or an application.
This is highlighted more recently with the proliferation of tools like ChatGPT. Companies are expected to have a hard stance on its usage within the organization. The quick decision: should you block potentially risky platforms entirely, or allow their use while educating users to minimize risks? When something is blocked, the negative effect is lost hours. When something is allowed, the negative effect is the increased potential of a threat. Both are lost dollars. However, there exists an alternative in between these two which could exist together with optimal outcomes on both sides.
Security teams need to understand the importance of addressing this “gray area” and how to navigate it in the context of a remote-capable, contemporary workforce. It’s the key to unlocking productivity while implementing security across the organization.
The Gray Area
The term “gray area” in cybersecurity refers to situations where the line between strict security measures and optimal productivity blurs. We find that throughout the workday, employees are faced with activities, events, and applications that are either allowed or blocked. We continue to see that it’s just not that simple. These situations can be complex, as they require a nuanced approach to balance the need for security with the necessity of unhindered workflow. Understanding this gray area is pivotal for building a secure yet efficient work environment.
Currently, a majority security teams address this gradient by either having a lot more restrictive environments with few exceptions or a lenient approach with a overly heavy reliance on detection and response technologies. The ones that are ahead try to scatter controls across roles and groups, but end up with the ‘balancing act’ and a security gradient that looks a lot more like you zoomed too far into a picture.
Current State – Overly restrictive or permissive security measures based on function
Ideal State – Strong access and data security measures that don’t sacrifice productivity
The importance of addressing this gray area has evolved in recent years. There are several reasons why it’s now a pressing issue:
- Remote Work: With remote work becoming the norm, the traditional security perimeter has dissolved. Employees access company resources from various locations and devices, intensifying the challenge of maintaining robust security.
- Workforce Dynamics: Technology has changed workforce dynamics — we communicate with each other through a plethora of mediums. And a younger generation of employees has entered the workforce. They’re accustomed to seamless digital experiences and often value productivity-enhancing tools. Traditional security measures that impede efficiency are met with resistance.
- Evolving Threat Landscape: Cyber threats are constantly evolving, and the workday for information workers has put a focus on a few key applications like the web browser and email. The gray area encompasses adapting security measures to address new, sophisticated threats without stifling productivity.
Moving towards the Ideal State
Addressing the gray area isn’t about developing more technology; it’s about understanding human behavior. These are fundamentally human problems that require human-centric solutions. To effectively tackle this challenge:
1. Focus on Actions, Not Technology: Recognize that security is not solely a technological problem. Understanding how individuals behave and interact with technology is crucial to striking the right balance.
2. Implement Browser-Based Feedback for Actions: A practical approach is to provide real-time, browser-based feedback for user actions. This empowers employees to make informed decisions about their online activities, reducing security risks.
3. The Power of Pause: Responses that purely block activities are necessary in certain situations, but to really address the “gray area”, security teams need to use preventative technologies that pause the user at the point of click, giving them context to make a secure decision. In situations that aren’t direct threats, discretionary controls can be used to reduce the risk of an action.
Browser Security as a Key Step
Browser-based feedback aligns with the realities of today’s workforce and helps security teams focus on securing real actions. The surge in remote work has dismantled the traditional security perimeter and employees can spend most of their day in a web browser. Evolving workforce dynamics, driven by advancements in technology and the entrance of a younger generation into the workforce, prioritize seamless digital experiences. Again, this is a place where the browser can become a key part of the security strategy, focusing on actions and the power of pause to create a secure work environment that doesn’t hinder productivity. Finally, the ever-evolving threat landscape demands a focus on key applications like web browsers in the workday, prompting the adaptation of security measures to combat new, sophisticated threats.
Employees can work confidently, knowing that their actions are both secure and productive. Security measures don’t hinder their workflow; instead, they empower them to make informed decisions. Collaboration flourishes, innovation thrives, and the organization’s data remains protected.
Addressing the gray area between security and productivity is paramount in today’s remote-capable work environment. By focusing on human behavior and implementing browser-based feedback for actions, organizations can create a workplace where security enhances productivity, all while catering to the expectations of a younger, tech-savvy workforce. The ideal picture is one where security and productivity not only coexist but also reinforce each other, creating a secure, efficient, and innovative work environment.
At Keep Aware, we address this gray area and provide a solution that adds a fundamental layer of security to the browsers employees use every day. See how Keep Aware can help your employees prevent threats at the point of click by meeting with team.
Ryan Boerner on LinkedIn