Strong IT security is often perceived as a series of obstructions that hinder productivity. Users are generally understood to want looser security, but what they really (and rightly) want is for security to be more transparent; fewer hassles, fewer passwords, fewer procedures, and more assurance that their systems will run smoothly. They are focused on getting their own jobs done, which is in fact what they should be doing. It is your job is to make sure that they can keep this focus. However, it is also your job to make sure that systems are properly secured. How you accomplish both of these is a matter of finding the elusive balance of security and functionality that is appropriate for your organization.
Without going in-depth into security philosophies and controls, it is important to keep core aspects in mind and be constantly vigilant and aware of threats. After-the-fact is always the time when people tend to truly appreciate the importance of IT security. Before-hand, IT security threats tends to be more conceptual and fluid rather than having the feeling of something very specific to be on guard for. A vague threat can lead to sloppy security habits (for both users and IT staff!) until a security incident occurs. The event then triggers a reactive blitz on enhancing security initiatives, which gradually fades until the next security incident. Implementing structure is critical, but if you’re like most, you’ve probably had to procrastinate strategic IT security to keep the day-to-day operations running. As an ongoing effort, your IT group must step up and actively engage the business units to work together both strategically and tactically to break this cycle.
To implement quality IT security that will last for the long term, it is critical to get ongoing support from your senior management. Although they definitely want things to be secure, it may actually be a challenge to get them to commit. They are in a difficult situation of wanting good IT security, but not being able to allow anything that would significantly hinder the business functions. It is up to you to present what you think is a reasonable option and make a case for how you will approach it. Breaking it down to stages and updating the management on your steady progress is a good way to accomplish this. Be prepared for some push-back however. Executives naturally want the staff to function efficiently. They have a broader perspective and much more to consider than just the IT aspects that take up most of your time.
Depending on the business you are in and the content and the sensitivity of what you are doing, the security level may vary. You would secure your nuclear launch codes differently than your child’s MP3 of The Wiggles. There is a huge array of aspects to consider, including exposure of information, virtual access to systems, and especially mobile equipment that goes missing when you have no idea what the specific data content was. Internal unauthorized access is often the biggest risk, but something that many organizations tend to be very lax about. Be sure to also keep in mind that at a certain point you will see diminishing returns. The final increments become disproportionately expensive with decreasing value. As an IT professional, you will need to regularly reconsider the balance and consistently push your organization in the right direction.
Education and training of your users can make a difference, but not being technical folks, they are primarily interested in how it will affect them. Throwing statistics at them and explaining that everyone is at risk is not terribly effective, but you will ultimately need their support and compliance for IT security to be successful. Implementing technology to enhance security can make a huge difference, and there are a lot of very good security products on the market, but an improperly used tool will hold little effect. Security is fallible because it ultimately lies with people. It becomes about understanding reasonable risk and ensuring that there is proper communication about the what, the why and the how of IT security.
Having a good IT security policy is important, but what you really need is good IT security.