The balance between security and user accessibility is a constant struggle for the IT community. Security professionals like myself want to secure data and ensure user safety above all else. At the same time, we are constantly reminded by upper management that cybersecurity protocols cannot be too restrictive as it hampers productivity. If a recent survey of high-profile chief information security officers (CISO) is to be believed, it appears the cybersecurity community is creating an environment of stagnation. There may be more to this survey and ensuing report, however, than certain news articles have led on when reporting about it. The study, by the software company Bromium, sought to find what the general opinion of CISOs was with regards to present-day cybersecurity efforts. The results of the survey showed that 81 percent of the 500 CISOs (from the U.S., U.K., and Germany) polled held a negative opinion of said efforts. Their specific issue was with what the survey described as a “prohibition approach” to security. The CISOs use this terminology based on the following stats about the respective companies they work for that are covered in the Bromium CISO study:
- 572 hours annually are spent in totality by helpdesks assisting users with gaining access.
- 88 percent of companies surveyed have policies in place to restrict users from performing certain operations.
- “Users complain every week that legitimate work is being blocked or rejected by overzealous security systems.”
As a result of these points, 77 percent of the CISOs surveyed feel that they are “stuck trying to keep the organization secure while enabling innovation.” The report goes on to, suspiciously in my view, give a solution that seems to point to usage of their own products: “To resolve the dilemma of security versus productivity, organizations need to consider a new approach … This is exactly what Bromium does.”
Additionally, at the end of a separate infographic released along with the report, Bromium states the following:
By containing activity inside a micro-virtual machine, protection is seamless, virtually invisible for end users... Application isolation allows users to download attachments, browse websites and click on links without fear; every activity is contained inside a micro-VM.
“Without fear,” huh? Now that sounds just a tad absurd to me. There is, as I’ve discovered, a good cause for my cynicism.
Not a magic bullet
Conveniently, Bromium is, you guessed it, a company that has pushed its micro-VM software into the security sphere and has attempted to get what is still considered an experimental security option to be widely used. To create a survey and study that may have as its main purpose marketing its own products, no matter how true the stats may be, is pretty annoying in my view. Bromium’s micro-VM is not the magic bullet solution that they suggest it is. In my opinion, it is reckless of the company to wade into the user vs. security debate by not only pushing a product, but also to recommend what could prove to be reckless actions because they somehow believe the micro-VM is impenetrable.
Virtualization has some benefits, but the issue of access control (which this poll brings up frequently) is not solved at all by it. You will still have to determine who gets to access what, and inevitably will have people complaining that they are being “hampered” by “overzealous” security protocols. Additionally, virtualization can be bypassed to get to the host — it merely makes the bypass process take a little longer. Not to mention that, I promise, Bromium has exploitable vulnerabilities that they simply don’t know about yet, just like any security software. Even further, above all this, hackers love a challenge, and if a micro-VM lulls users into a false sense of security because supposedly everything they do is of no consequence, I’m certain malware and social engineering experts will have a field day.
The reality is, with regards to the user vs. security issue, there is no singular answer or solution. We don’t, as cybersecurity experts, want to stifle the creativity and productivity of workers. The reality is, especially depending on where you are implementing policies, this is going to be inevitable. Those in charge of security protocols, both in creating and enforcing, would love to be able to give more leeway to users. We don’t enjoy being the cops that ruin your fun, but unfortunately this is quite necessary.
Major problem is still human error
Human error, more than any other factor, is the No. 1 cause of cybersecurity incidents globally. From ransomware attacks to spear-phishing emails, hackers know that the one constant of any security protocol is that there is someone, somewhere, who can be fooled. It comes from a variety of reasons, but I believe a study last year from the National Institute for Standards and Technology hit a major cause to blame.
Citing what they called “cybersecurity fatigue,” the NIST pointed out the following:
Average computer users felt overwhelmed and bombarded, and they got tired of being on constant alert, adopting safe behavior, and trying to understand the nuances of online security issues... Researchers found that the result of weariness leads to feelings of resignation and loss of control. These reactions can lead to avoiding decisions, choosing the easiest option among alternatives, making decisions influenced by immediate motivations, behaving impulsively, and failing to follow security rules.
This may sound callous, but my takeaway is that users want to have their cake and eat it, too. They want more control over their environment, but when asked to do their part for security, they complain about the need to have greater understanding of the complexity that cybersecurity possesses. Conversely, if we as security professionals revoke that control, the users will complain about being, as the Bromium study states, blocked from work due to “overzealous security systems.”
When I first saw this Bromium CISO study, it was in a news article on the website of Infosecurity Magazine. There have been other publications that reported this same survey, and much like the article I read, they only reported the data that was obtained by Bromium, or even worse, were complicit in the marketing.
The conflict of productivity and security is such a nuanced and volatile subject in IT that my fellow journalists would do well to not cherry-pick the information they are presenting. Instead of merely showing that CISOs are disgruntled, we must also show the user faults and (in this particular instance) what appears to be the marketing ploy being put into action by those behind the Bromium CISO study.
Photo credit: Pexels