• United States



CISO, Boston University

Can security and convenience be mutually exclusive?

Dec 05, 20145 mins
Data and Information SecurityIT Leadership

These days, clever design and innovative solutions can deliver solid security without unreasonably impacting the user experience.

“Security is a pain; it just gets in the way.”

“Every time you security guys want to install something, it makes it harder for me to do my job.” 

“I understand that we want to be secure, but this is getting ridiculous…” 

If you have worked in Information/Cyber Security for any length of time, you have heard these complaints. (Perhaps you have even made them yourself … I have.)

[ InfoSec: Understanding business goals is key to embedding company-wide security practices ]

One objection that security professionals face every day is that you can’t have both.  That security and convenience are on opposite ends of a mutually exclusive continuum:

continuum from convenient to secure

I reject that objection: security and convenience are not mutually exclusive. Yes, this used to be true, or at least mostly true, and still definitely can be, but things are changing in the security industry. These days, clever design and innovative solutions can deliver solid security without unreasonably impacting the user experience.

The word “unreasonable” is really the key to all this. People understand the need for security – they really do!  People are fine with doing a few simple, common sense things to help be secure as long as the demands don’t go too far. Most people lock their house and car, especially in the city; but most people also complain about the security at the airport as being overboard. It is when security becomes obtrusive that issues arise. This is an issue with how people feel about something; it is the end user—not security—that defines this particular type of success. (More on this point in a future blog.)

Convenience AND Security

This situation evolved in a completely understandable way. One of the central models of Information Security is called the InfoSec Triad: Confidentiality, Integrity and Availability. We as professionals are supposed to design all solutions with an appropriate balance of these three central tenets. But it is easy for security practitioners and product designers to spend all our time thinking about the confidentiality side—preventing unauthorized people from accessing information—and not as much time thinking about the availability side—allowing authorized people the appropriate access. Yes, it is true that unless we have strong control over confidentiality (usually via access control), we cannot ensure availability only to the right people, and this leads to the attitude that confidentiality is more important than availability, but this is not how solutions should be designed.

These three core tenets are all equally important and we practitioners need to be developing solutions with this in mind and rewarding contracts to companies that understand and actively support this concept. Otherwise, we end up with solutions that people complain about that are too demanding of them in the name of good security.

The consumerization of IT has help. One example: People once had no choice but to rely on their internal IT group to provide network storage. Today, there are a large and growing number of cloud vendors that will give consumers huge amounts of easily-accessed and shared storage at no monetary cost. People, frustrated with the options (or lack thereof) available from their IT shop, or with the charge back structure, or with a host of other things, can now go online to solve their own issue, completely bypassing IT (and therefore many kinds of security that the organization might have in place) – and are doing so in droves. If you think this is not happening in your organization, think again.

This trend of simple, self-service IT has led people to have those same expectations for security. People expect security to be built in and to be reasonable; to not impact them more than it absolutely has to. And, where it does have to impact them, to have a clear reason behind it.

Security is going through a very exciting period right now. More and more vendors understand these points and are bringing new designs to the table: 

  • Solutions that can bring a strong security benefit with minimal impact to the end user or customer—sometimes to the point that the end user is completely unaware that a security feature is functioning to protect them. 
  • Solutions that bring benefits not only to the security team, but to other units inside an organization as well—often going so far as to reduce the budget other groups need to spend to maintain their core business function. 
  • Solutions that reduce the complexity of security, thereby reducing the number of systems required, the number of points of failure, the cost and the total amount of support required.   
  • Solutions that make security more transparent to the end user or that provide explicit and clear information to the end user at the moment that person is making a security decision—a greatly-desirable capability I have been talking about for years.

This blog will focus on topics like this. What can we do, what solutions are out there, what does not yet exist that should, what should we be demanding from the industry and from vendors? Things that can help us build simpler, more effective, more cost effective and more convenient security.

Next time: VMs designed for sensitive research and business needs. Building a gold image that already includes the security features required for HIPAA/PCI/NIST/FISMA/name your regulation, allowing researchers and business people to spin up new compliant servers in moments.

Quinn R. Shamblin's philosophy is that the convenience and security are not mutually exclusive - good security can be achieved simultaneously with user convenience. Contrary to what people believe, the work of a good information security professional is not to say "no" to a business goal or request, but to find a safe way to say "yes". This philosophy comes from experience gathered throughout a very diverse career.

Quinn started his career as an officer in the U.S. Navy, teaching sailors how to operate the nuclear reactors found on U.S. submarines and aircraft carriers. He then moved into staff and project management in the IT field, spending several years leading the technical development and support of TIBCO technologies for Procter & Gamble, HP, and Hydus, Inc. Quinn then joined the University of Cincinnati as a Cybercrime Investigator, then Manager of Information Security and finally, Director of Information Security. Quinn is now the Information Security Officer at Boston University, one of the leading urban research universities in the world, ranked 41st in the U.S. (U.S. News & World Report) and 50th in the world (Times of London) in 2013. BU is the fourth largest private university in the U.S. with 33,500 students and 9,000 faculty and staff in 16 Schools and Colleges and association with Boston Medical Center.

Quinn is a sought-after presenter in the Information Security field. He has given talks for CSO magazine, the Brazilian government, the FBI, Evanta, EDUCAUSE and many other national, regional and local organizations. He and the team that created Boston University's Premium Secure VM Service won the CSO50 Security Innovation Award in 2014.

Quinn holds an MBA from the University of Cincinnati, a B.S. in Physics from Andrews University and numerous professional certifications, including: CISM, CISSP, ITIL and previously, PMP, GIAC Certified Forensics Analyst (GCFA).

The opinions expressed in this blog are those of Quinn R. Shamblin and do not necessarily represent those of Boston University or IDG Communications, Inc., its parent, subsidiary or affiliated companies.