Bad identity security without a doubt will hinder the productivity of an organisation - weighing it down with excessive login requests, inconsistent policies and visibility, and force frustrated users into poor security habits. Good identity security doesn't hinder productivity - it helps.
This is perhaps best expressed within enterprise authentication. More specifically, in the difference between those enterprises that have to constantly shuffle between a decentralised sprawl of apps and authentication systems, and those that opt for a single authentication authority to provide a consistent, secure experience on both the front and back end.
An all too common problem
Perhaps part of the reason for this misapprehension is how widespread it is. A Vanson Bourne survey from 2017 bears out what has long been believed by many - 74 percent of CISOs said that employees believe cybersecurity to hinder, not help productivity and 81 percent said they saw it as a further hindrance to innovation. In many cases, cybersecurity may well halt productivity in certain situations.
The average enterprise has 130 apps deployed. If each has their own method of authentication, it must be nothing less than a headache for everyone involved. That inconsistency trickles down throughout the enterprise too.
The more passwords employees have to enter, the more they’re likely to produce easy to guess, forgettable or duplicate passwords. The average employee wastes 11 hours a year messing with passwords - entering, resetting and managing them. Not to mention the wasted time for IT and help desk departments who have to deal with and scrutinise those requests.
Unfortunately employees are often considered the greatest threat to IT security. Surveys even show that enterprises see them as greater threats than even cybercriminals. There’s a great deal of truth to that - but the fact is that people can only remember so many passwords, and rightly see authentication as a time drain when they have to do it multiple times a day. In the failure to understand that fact - resentment and frustration breed.
Burdensome security lowers its own value
Security doesn't just have to fight against cyber-threats, it has to fight a PR battle within the workplace too. Security practitioners find themselves in an unenviable position. When they do
their job correctly, you’ll hardly know they’re there - so they seem like a burden which does little more than divert budget away from revenue generating parts of an enterprise.
That same Vanson Bourne survey from 2017 said that 77 percent of CISOs feel as though they’re caught between securing their workplaces and allowing people to do their job.
When security frustrates a user experience they are far more likely to override the necessary - if burdensome - controls and endanger the organisation. They create weak passwords and they’ll reuse old ones. Insider threats are more common than external and they often come from oversights like this.
On a broader level, when security becomes seen as a burden - it alienates other parts of the business and erodes the collective belief in security. What starts in people’s minds is likely to trickle down to budgets too - when security is seen as an obstacle to profit - executives are less inclined to hand out necessary budgets for improvements and operational costs.
Bad IT security halts digital transformations
Bad identity security can quickly turn from a productivity drag to a real obstacle to innovation. This disjointed system of authentication doesn’t just amount to unneeded complexity around security and usability but actually halts digital transformations in their tracks as well.
As long as old, inconsistent systems aren’t cloud ready - and they often aren’t - organisations struggle to extend authentication services to the cloud. This is a fatal drawback at a time when the cloud is transforming the way the entire world does business.
They’ll run into problems when it comes to the IoT too. As tempting an opportunity as the IoT is for many - secure seizure of that opportunity requires a way to manage the potentially thousands or even millions of device identities that might make up a deployment. The same goes for APIs and DevOps - their increasing use within the enterprise means yet more complex identity and access management requirements.
Without an authority to protect this growing mass of complexity, enterprises invite risks and security problems further down the line.
The same is true of the general expansion of IT within the enterprise. Enterprises increasingly have to deal with more systems, users, apps and data - without a way to get the authentication processes under control - they'll struggle to transform as long as they’re weighed down by yesterday’s systems.
What does productivity-boosting security look like?
This problem is not about security - it's about mismanagement.
As aforementioned - the average enterprise has around 130 apps deployed. That’s a frustration for users to log into and remember passwords for, it creates an unnecessary amount of work for IT security and 130 potential points of entry for an attacker. Not to mention a huge productivity drag for the enterprise at large.
The solution is to establish an authentication authority as the single source of truth within the enterprise.
This primarily allows enterprises to manage the sprawl of inconsistent identities and authentication methods within the enterprise so IT security can become agile. It allows the enterprise to accelerate application onboarding and provides a central hub for stronger step-up authentication that is adaptive and risk-based.
From there, application management can be handed over to business application teams and relieve burdened IT teams and promote productivity and speed that were so previously lacking.
Which, of course, brings us to the user experience which will be vastly simplified and made more productive by replacing the scores of authentication systems with one single source of truth. That productivity boost can be supplemented by largely removing the burden of passwords through things like single sign-on or passwordless authentication which leverages security factors like push notifications or biometrics.
Furthermore, continuous authentication allows the authority to work behind the scenes, leaving users alone during low risk activities and making smarter decisions when requesting step up authentication. This intelligent approach leverages real-time, dynamic security factors to authenticate users on an ongoing basis and doesn’t add friction to the user experience, allowing them to do their job largely uninterrupted by authentication prompts.
IT security often gets an unfairly bad rap but it doesn't have to be that way. IT security isn't just about defending from outside attacks, but inside compromise too. When it doesn’t work in tandem with the rest of business - and obstructs productivity - it weakens its legitimacy inside the enterprise which in turn diminishes its ability to do its job.