There is a delicate balance between being network security-conscious and being paranoid. It’s like the fine line between genius and insanity. Some of the most famous psychopaths in history had IQ’s in the 180s. Like the trait of intelligence, which varies along a continuum, our approach to network security can range from overly permissive to delusional paranoia. There is a saying that “you can’t be too careful”. I would argue that you CAN be too careful.
Getting the balance right
I’ve certainly seen both extremes over the years. I’ve worked with companies that had no concept of network security and the need to protect themselves against the dangers of being “online”. All that would change once they suffered from a nasty virus or malware that caused massive loss of data or productivity. I’ve also been involved with organizations where the IT department had such a tight control over the network and user’s workstations that it was difficult for anyone outside of IT to get anything done that required access to online resources.
Most organizations have discovered their security “sweet spot” – that balance between reasonable security controls and reasonable user autonomy. It is different for each organization. Many government agencies are required to err on the side of caution as they fall under U.S. Criminal Justice (CJUS) requirements. The critical requirement here is restricting access to criminal justice information (e.g. police files, court documents, etc.) by unauthorized individuals. One of the pitfalls of working in this environment is that the person responsible for network security can become consumed with the idea of restricted access to the point of making it difficult to be productive. They cease to be the shepherd who guides the organization through the cyber-security “valley of death” and become the gatekeeper who prevents everyone from venturing into cyberspace less they encounter its evils.
Protecting your network from outside threats
We are all aware that our systems and network are under constant attack by cyber criminals, non-criminal hackers, and who knows what else. I’m sure most of us have experienced at least one successful attack and probably several. We know we can never be complacent. We can, however, take our vigilance to an unproductive level. I have seen this occur in organizations where the IT manager seemed (to me, at least) to have control issues. As far as they were concerned, they owned the network and servers. They used phrases like “my systems” and “my network”. I believe that a sense of ownership can be a good thing when it comes to taking responsibility. At the same time, we must remember that we do not “own” anything. We provide a service to the organization. The hardware and software that we manage belong to the organization. We are caretakers. Our job is to keep things running smoothly so the rest of the organization can do its job. Yes, we need to protect our users from themselves by reducing the chance that they will click on a link in an email that will cause all hell to break loose. That’s why we employ firewalls, spam filters, anti-virus and anti-malware programs. That is also why we need to provide training to our users (our customers, really) so they can be as aware as we are of cyber threats and help them help themselves.
Fear of change will hold your organisation back
We can be too careful. We can become so cautious that we become fearful of change and hinder the forward movement of the organization that pays our salary. There may have been a time when IT controlled their own world and had profound influence over what could and what could not be accomplished. That world hasn’t existed for several decades. It is imperative that we embrace and facilitate the changes that will move our organization forward while ensuring that those changes don’t diminish network security and the integrity of the network infrastructure.