Note that the technical threats begin at position number 7! But the top 6 are dominated by the threats based on the user behaviour (and the lack of proper tools/policies that allow such behaviour)!
Why does that happen? What can be done? Read on to learn more and see some Dilbert!
Why does that happen?
All modern platforms are “reasonably secure” in order to be used efficiently and securely. So, why is this happening? Your mileage may vary and I’d love to hear your opinion, but this is what I see in conversations with my customers (not in any particular order):
Lack of user education. Even simple email campaigns such as the WorkspaceONE Adoption Kits help promote security hygiene. Not to mention that when combined with modern monitoring and analytics tools it may identify dangerous behaviours and send a targeted “friendly” email to the user, ex
Outdated tools (such as relying on MDM alone w/o proper identity and access management). Today, simply having passwords and VPNs is not enough. The environment and threat landscape have changed, and only by combined interplay of mobile, desktop, identity, access, application and data management controls can modern endpoint security be achieved.
Outdated Culture. I think this is the most important one. Old-school culture of IT-Defined workspace, where “do it right just how I say (c)” (bonus points to those who know where this is from w/o googling!) is the only way to work was ok 20 years ago, where users had no choice.
This day and age, however, by using the old-school overcomplicated security policies IT just shoots themselves in the foot: the user of today has choice: personal devices, cloud services that are all so nice and easy to use! In the end the worker is ultimately paid not for following policies and knowing the corp rulebook by heart, but for getting the job done. So if I can get the job done without IT – I’ll do it! Nowhere is Shadow IT so strong as in the End User Computing and Cloud Services world!
Combined with lack of proper security controls (that were simply unimaginable when those old policies were conceived), old tools and lack of education this results in those Top6 positions in the chart, that IT thought they could eliminate by their super-strict policies no one wants to follow.
So, what can we do?
It’s not too hard really (birds-eye view, of course):
Change the End User Computing strategy from IT-Defined to User-Defined. It has to be Consumer Simple yet Enterprise Secure. 5 years ago you had to choose one, but this day and age you can have both!
Implement the policies that follow the lines of “How can we make users productive and comfortable while compliant” instead of “Compliance über alles! IT is for IT efficiency, not user efficiency!” Those times are back in 1939, you know.
Watch a short video on what I mean by a culture change.
Deploy End User Computing platforms that support those policies. As I said before, MDM alone is no more enough. You need all the bases covered: Mobile, Desktop, Identity, Access (Application/Email/Content/etc), Productivity etc. Your choices are to implement multiple tools (one for each job) or find a platform that does it all reasonably well. Both have caveats.
- Definitively, specialized tools will be better at their jobs and will give you more options. But integration may be tough. Consider the rate at which modern tools and products are updated: InTune releases updates every two weeks. Different VMware WorkspaceONE products are updated between one week and one month. Some of those updates can be skipped, some are important to support the devices (Apple’s iPhoneX UUID changes and upcoming 12.2 device enrollment changes, Google’s transition from GCM to FCM etc). Imagine juggling 5-8 different products each updated every month and trying to ensure that nothing breaks?! (If you can – absolutely leave a note below – I want to hear about it!)
- Universal platforms are easier to deploy and maintain, but of course will never outmatch specialized products. The key here is extensibility. Unlikely that you will will be able to implement all the super-advanced features on the first day (even quarter or year!). Choosing an open platform will ensure that your growth is not strangled by vendor lock-in, and your investment of money and time are not wasted.
I would consider settling on 1-2 platforms from well-established vendors that will allow you to grow and plug in specialist solutions if you even feel that the platform native features are not enough for you. In my mind this is a good balance between getting what you need and keeping everything under control. What do you think?
Show your users that you work with them, not against them (this is how IT Security is viewed by most users today, won’t you agree?). Educate them, use your modern platforms and analytics to spot users with lax security or low hygiene and instead of scolding them – send them something friendlier that will improve their habits. Show them that you are protecting them, not restricting them.
To sum up
End-User IT Security people will always be seen as Cops. But it is up to us to choose whether to be Bad Cops, or Good Cops. What’s your choice?