Business is all about making tough choices. One such choice is whether to value IT security or business flexibility more. Unfortunately, you can't have the best of both at once.
While having absolute security or flexibility may sound good, neither is actually for the best. An entirely secure environment is tough on users, a fully flexible IT environment is near impossible to keep safe.
When weighing security and flexibility, you might think of it on a sliding scale: more of one means sacrificing some of the other. If you amp up your security, you can limit business productivity. Your staff may try to get work done and bump up against security constraints. Or you may decide to give your people full flexibility, but you do so at the risk of leaving your business more vulnerable to attack.
Where you want to land on this sliding scale can depend on your industry. A bank protecting funds or a hospital with private patient data would prioritize security. Alternately, a small widgets business might not worry about data security as much.
Still, it's a tough choice to make. Security company Balabit asked European IT pros to choose between IT security and business flexibility. In general, 71 percent thought security was equally or more important than flexibility. But when asked whether they'd risk security to clinch a major deal, 69 percent were willing to take their chances.
Finding the Right Balance
Leaders have to find the sweet spot between IT security and business flexibility. Striking the right balance is essential to successful security measures and flexibility aims.
One major consideration is the type of data the IT security is protecting. Credit card or health insurance companies are responsible for securing customer information. A university with many networked computers also needs to think about security; otherwise, criminals might target the school's processors to power their attacks.
The potential impacts of a security breach are also a factor. Cyberattacks can mean business disruption, and lost productivity and business revenue, plus damage to brand reputation and loss of customer loyalty. A business in a highly regulated industry could also face massive fines and legal fees.
Assessing the risk of attack also helps. For example, a company with a billion-dollar idea, or a utility, face greater risk than a tuna packet labeler. Another consideration would be history of suspicious activity: if your business has already suffered an attack, security should be a priority. Likewise, if your industry is a common target for cybercriminals, you can't take unnecessary chances.
Then, there's the demand for business flexibility. How much do you need and in what situations? For instance, allowing employees to use their own devices is a convenience for some, but it's a necessity in other environments.
The ability to control security and flexibility on a situation-by-situation basis can help. In instances where customers' identifying information is exchanged, security would trump flexibility. But when work teams collaborate globally, business flexibility is the more important aim.