I’ve been in positions that have had security personnel reporting to me directly, and I have to admit I’ve often just considered them to be part of a function that just needs to get done. Security people tend to be overly paranoid, and they always seem to be costing money, making suggestions that slow everyone down and cause all sorts of other annoyances.
On one hand, I’ve seen some pretty bad things done in the name of security that almost always result in systems being less secure. Anyone familiar with the old: you must have a password with at least 10 characters, it must include at least one lowercase, one uppercase, one numeric and one special character. Yeah – nobody can remember them so we write them down on a sticky note on the computer. This causes the password to be completely non-secure – the opposite of what you were hoping. Or how about email programs like Good or two factor authentication (e.g., physical fobs) that make you have to have special devices or carry things with you. It’s almost like the security folks think security is more important than productivity!
But, I’ve also seen when security breaches happen – and the fallout can be massive. Just recently, I received an email from my son’s high school. It turns out that one of the students (what would
you expect from a science and technology magnet school?) hacked into the system to get parent emails. Fortunately, nothing bad came out of it, but it was a clever hack and deception that could easily have resulted in further fall-out.
My advice? You should balance security with usability, flexibility and cost. Security itself is a business decision. How much risk can you tolerate? What is your exposure? What are you willing to give and take away in the name of security? And please, don’t forget your users. It’s a business decision to make their lives more difficult to get their work done. If you don’t put them in the picture, you will sap their productivity and creativity.