Security has traditionally been the domain of the IT department - more specifically, the security staff and chief security officer. From these flow security policies, rules that are laid down for the protection of the company's assets.
Convenience vs. security
However, as we have seen in the cases of BYOD in particular and shadow IT generally - where departments will, for example, often buy in cloud services or download applications without going through IT - if employees perceive rules to be inconvenient and obstructive, they are often circumvented or ignored.
Security procedures in particular are likely to be perceived as inconvenient. To take an extreme example, blocking up your front door and windows will prevent burglaries and be a very effective security measure, but it is hardly convenient. Therefore it is necessary to strike a balance between convenience and security - one that enables the company to at least meet its legal obligations while still allowing employees to perform their tasks effectively.
Education and engagement
Employee productivity is of course important but it should not create vulnerabilities for the company as a whole. Embedding security-awareness into employees' routines and processes can help to highlight that speed and convenience alone are not the sole criteria for getting the job done.
In today's world, security is already everyone's business when using smartphones and other personal devices. Familiarity with the basic concepts already exists. So corporate security procedures should treat users like adults, rather than assuming that people are totally ignorant about security. In training and focus groups, security teams and users should engage equally in conversations. Security teams can then learn about the challenges users face and users can be involved with drawing up security procedures.
An example of the kind of initiative that could emerge from such a conversation is single sign-on. If a password ageing policy is in force, single sign-on can help reduce the number of passwords that people need to remember, even if they have to change them regularly. Similarly, password managers can alleviate the burden of remembering multiple codes and therefore eliminate the need to write down passwords on paper in the office.
At the same time, security teams can explain to users why certain procedures need to be followed, as well as the possible consequences for the organisation if they are not. There is business value in security, so unit managers should also be involved in drawing up policies for their departments, rather than automatically applying all procedures across the entire organisation.
A regular email around the company can help to remind people of the importance of policies, as well as bring them up to date with the latest news (such as attacks recently averted). You can remind people that introducing new devices or applications onto the network can create security issues that must be addressed before rather than after deployment.
In this way, with goodwill from users and managers built up over time, you can create a culture of security, where users - who wittingly or not are most likely to be the main vectors of attack - can help to build rather than erode a secure organisation.