Best tips for Blending Cyber Security and Productivity
Whether you are a government agency or a private organization the puzzle of productivity continues to remain unsolved, well until now. Central to any organization is the challenge of controlling costs and meeting objectives. Organizations pay people not just for their time but for their skills and knowledge as well; this is where the value is in the talent but also high expenses. Managers have one goal and that is getting the most value from employees for their expenses. Online work and new technologies have changed the ability to track productivity now. Despite the technological advantage employee productivity is still a difficult thing to measure for business and government. Even when a company does figure out what the best practices are for measurement, they often do this in a silo. Often the case is that upper management is coming down on the rest of the organization to be more productive, but other managers don’t see the end goal and thus start measuring productivity for the sake of productivity.
However recently with the rise of cyber attack understanding to managers of organizations seem to be having a lot of push back against cyber security claiming it will be disruptive to work and productivity. This argument has started a black and white scenario where cyber security is pitted against productivity for internal budgeting funds. This doesn’t have to be the case, in fact cyber security and productivity can go hand in hand thanks to technology advances in both. Below you will find a list of best practices in productivity and a list of best practices for People Oriented cyber security.
Best Productivity Practices
Productivity is not a monolith, what works for one organization will likely not work for another. In today’s world most of the work that will be done is knowledge-based or strategic in nature. These are jobs that are non-repetitive and require a lot of creative thought, which can be hard to measure in numbers. In the United States about 48% of workers can be classified as knowledge workers due to the nature of their jobs. This means productivity management needs to change as well.
Measuring for Outcomes
Organizations usually care about the final outcomes from work, not output. There is a difference between an outcome and an output. An output is a quantifiable measure and for a while was okay to use as a measure of outcome as well but output alone doesn’t equate to business value or coming closer to strategic goals. Tracking outcomes is the tracking of impact that activities have on your organization overtime.
Flexible Framework Management
University productivity models have been cited as an ideal for managing productivity of on-site and remote workers. Universities tend to implement different measurement systems that reflect the relationships between managers and employees. The two parties sit down and agree to realistic outcomes, as opposed to only outputs. These systems are usually contextually valid and reduce inefficient measures. Often these flexible frameworks implement multidimensional measurement to assess productivity.
Time and task tracking are a powerful duo that produce a large amount of insights for your organization. Advances in technology have made tracking time and task tracking a very simple process that only requires the click of a button by an employee. This can be further automated when they login to the system and just get to work. Objective tracking transforms strategic goals into bite sized individual objects that employees complete in order to move things forward. As employees complete their objectives they’re measured against time so that they can be evaluated for how their individual productivity is contributing to company performance.
Cyber security and Productivity
Both cyber security and productivity have the shared goal of enhancing the mission of the organization. The intersection of cyber security and productivity exists at the process level. Specifically when developing a cyber security strategy and operations integration. Below are some tips that blend the advice above into your efforts to achieve a more secure environment.
- Minimal Disruption:
When engaging in process development it’s important to understand that people don’t like change. If a new process has too much of an impact on everyday work, it will fail at the onboarding stage. Which creates vulnerability via people. Above you saw both outcome tracking and passive analytics. These are two technologies that can be blended together with the shared goal of not disrupting the employee in their day to day job.
- Process First, Tech Later:
Technology is great and all but it needs to be implemented only after root causes were identified and processes were changed that were disruptive to productivity. If you implement technology on top of an as-is process, the result will likely be more complexity and more inefficiency. When designing a new security process there needs to be a behavioral process change first, then an automation of that new behavior. At its heart process design is the effort of creating repetition, automation of that repetition comes after in an effort to make that repetition faster.
Processes are only as secure as possible when security is integrated from the start. Security operationally means confidentiality, integrity, and availability. The security-by-design framework was built on these three pillars. Merged with productivity looks something like the following:
- Principle of Least Privilege:
Access to information is limited to a need-to-know basis. Users operate on a minimal amount of privileges. Regardless of someone’s role this principle should apply throughout the whole network.
- Fail Safely:
Backup processes need to be developed that even in a failed state work can continue on while remaining unexposed to threat.
Ensure that systems provide only what is needed while reducing bottlenecks. The more complex a security system is with it’s features, organization, and integrations the more exposed it becomes to threat and bypass. The more simple a system, the easier oversight and control of it is.
- Don’t Accept Obscurity:
Systems dependent on secrecy often will be exposed or rendered obsolete. Secrecy in private institutions often does not last too long mainly due to insiders.
- Psychological Acceptability:
Security needs to be fully-integrated with current process and not another process that people must do with their current job. The goal is to not create a bottleneck to their continuation of work. Cyber security system must be user-centric and take into account what an employee’s job is. Only frustration and more risk for insider threat develops when you ignore people’s needs.
- Layers upon Layers:
Do not rely on just one mode of defense and any mode is subject to bypass. By implementing a combination of systems that are visible and invisible to the user you will have a few layers of defense against potential insider breaches and external based ones.
- Principle of Least Privilege:
Cyber security doesn’t have to be at odds with productivity. In fact, the data you collect from your cyber security efforts can also serve as data fro productivity analysis. By implementing a strong insider threat cyber security solution, you can insights and value for both enhanced security and behavioral analytics for productivity analysis. Given the massive boost in technology and people’s adaption of processes now, it would be good to experiment with the concepts laid out above.