Security that interferes with business operations

A company had given temporary and part-time employees narrower access privileges than regular employees, but it had become a regular practice for regular employees to download and pass on files they needed to view for business purposes. The company held security training sessions and granted the same privileges to all employees. My former employer, for example, would have destroyed that means of passing them on.

The security incident history of both companies makes it clear which is the correct approach. The basis of security is records and controls. They know how astonishing shadow IT, which destroys them all at once, can be. The countermeasures are not restrictions or bans, but rather the development of the environment and systems, and education. A company that cannot trust its employees has no future.

https://twitter.com/miyahancom/status/1185524650924630017

[A rule that does restriction or prohibition is nullified if it interferes with the [Objective.

Instead of giving authority and making the action officially sanctioned, record.

---

This page is auto-translated from /nishio/業務の妨げになるセキュリティ. If you looks something interesting but the auto-translated English is not good enough to understand it, feel free to let me know at @nishio_en. I'm very happy to spread my thought to non-Japanese readers.