There is bias in every decision? Too much in any direction is not a good thing.

I’ve supported a lot of cyber operations, product procurements, product deployments. I’ve consulted some of the largest Fortune companies in the world, some of the biggest Governments, non-profits, research centers, and so forth. Although all these experiences were unique, there was something that did become apparent to me.

Perhaps there is a model already for what I’m about to explain. Searching online, I couldn’t find any such model, so here I am.

The security vs productivity paradigm--users typically introduce intended risks into the environment when there is too much friction in the way. For example, after Dept of Defense R/RW CDs, users turned to USB devices, which DoD didn't have full visibility into. Check out more with Operation Buckshot Yankee (OBY) on how that turned out...
When too much friction in productivity is placed, users get creative to "get the job done". For example, DoD banned R/RW CDs, and its user base turned to USB devices, which at the time, had little to no monitoring. To see how that turned out, check out Operation Buckshot Yankee (OBY)

Before I share this, know this will be common sense to most. It’s those things which are so logical when you first look at it, when you have the “why didn’t I think of this” or the “yea, of course its this way…” — these are what I find to be the best models. So, for those who already created such a model or who think its so obvious it needs no further definition, I apologize.

The goal, for every decision, is to be the top right quadrant. You want every decision to take your workforce and further enable their productivity and improve the security at the same time.

However, for many decisions that won’t be possible. You’ll need to either be the top left or bottom right quadrant. This really should be based on your organization biases… does your organization tend to be more secure at the detriment of security? Or does your organization tend to drive productivity, with security gaps and the residual risks, at a minimum, identified.

Unfortunately, many of my experiences have taught me that if you do lower operational productivity of your workforce, they will find ways around the policies. For example, trying to remove USB devices from the Government, without offering other mediums of data transfer, led to personnel finding even worse means to remove data off systems. This is far from ideal. The security drive to improve security was even defeated. With this example, what started off as a bottom right quadrant decision (better security, worse productivity) ended up being a bottom left decision when all was said and done.

Things aren’t static, especially people and their workflows.

Its the job of the CISO, through partnership of the larger CIO organization and all other mission stakeholders, to drive the right decisions. However, its important they continuously evaluate these decisions. Without doing that, you very well could be running an organization that tends to be in the bottom left quadrant — a place no one wants to be.