Information Security Strategy: Stop Punishing End Users

An interesting article by Joseph Granneman:

For many years, companies have focused their security efforts on implementing rules to lock down the end user. I learned the hard way that this strategy doesn’t necessarily lead to better security.

In the past, I believed as many of you do, that implementing a security program meant taking control of as many factors in the environment as possible. In 2009, when I read a paper by Microsoft Research’s Cormac Herley that criticized this tactic, I was shocked and outraged. He argued that information security programs often focus too much on policies and procedures that don’t actually reduce risk and ultimately increase costs. At the time, I was a CSO like many others — scraping for resources in both staffing and budgets. The last thing I needed was resistance to the policies and procedures I tried to put in place.

Read the rest here.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.