• United States




Information security and employee productivity in conflict

Sep 15, 20154 mins

How to achieve a security operation without weighing down your employees

ball and chain debt depression weight problem
Credit: Thinkstock

It is widely agreed that employee buy-in and the adoption of a security culture within organizations is critical to maintaining good information security. Sadly, it appears that many employees are not on board with incorporating secure practices into their work life. This is curious, given that their livelihood depends on the success of their employers. A few years ago, I,would have suggested that this was the result of a lack of communication on the part of the employer. While that is probably still somewhat true today, employee training and communication in this area have significantly improved. 

In Context Aware Security, a study conducted by Dell involving 460 IT professionals and 301 end users, a huge majority, 91%, said they were negatively impacted by their employer’s security approach. Could it be that simple, with our employees really wanting to help, and us making it hard for them to do? 

Having been the head of information security for a variety of companies, I would have to say honestly that employee convenience has never been at the top of my priority list when deciding which security measures to implement. Based on my experience and mindset, tight security has always been king, with user convenience barely making it as part of the royal court. While I have myself improved in this area, I am still a bit convicted by the above statistics. 

While I would never compromise security to make life more convenient for people, given the importance of user participation, it is reasonable to find areas of middle ground where possible. 

If you are struggling to balance user convenience with security, consider the following ideas: 

Job descriptions

Information security should be incorporated into every job description, regardless of position. Every employee has to take responsibility for security, so their job descriptions should reflect that. By the same token, this is a reminder to managers that time has to be allotted in each employee’s work day to meet these requirements, as we would for any other element of the job description. If we try to impose many additional time-consuming restrictions on an otherwise busy employee base, something will suffer, and security is the likely victim. 

Tools and automation

There are a variety of automated approaches and tools that can help make the user’s life easier. One of my favorite is single sign-on. This approach allows for a coordinated login to multiple systems. This must be done carefully, because poor implementation can inject additional security exposures. Given that, according to Dell, 87% of users have to remember multiple user name/password combinations (most report having two to five combinations, with some reporting that they use more than 10), single sign-on can be of real benefit. The right tools can make the user experience even better. I am a fan of identity management products that allow the user to log in to multiple systems from a single Web interface, my favorite being Okta. Since these tools can also be used to automate adding and removing users as well, administrators quickly become fans themselves. 


If we truly want to have our users be full participants in the security process, we can help them by providing the best possible support when they have security-related help desk issues. I think lost passwords are a good example of an area for improvement in support. I have been guilty myself of being grumpy with users who forgot their password. At the same time, if we require frequent password changes using inane combinations of characters, lost passwords are inevitable. We can help by being understanding, friendly and quick to respond. There is little more frustrating than having work to do, and being unable to log in to do it. 


We cannot expect users to be partners in the security process if they don’t understand how. In my experience, security training is too often done to meet an audit requirement, instead of intending to really help the users to understand the risks and solutions. We can help by providing good-quality and engaging training materials. As a matter of policy, I never put a user through security training that I have not been through myself. It also helps to offer the training at their convenience, the easiest approach being the use of online training products. In my article “Thanks for all the phish,” I mentioned a product from eLearning Corner that I found to strike the right balance between information and user engagement.

4 training day

Bottom line: We too often see our users as security adversaries rather than partners. A simple change in mindset can result in a measurable improvement to corporate security. This mindset change may be the most economical change we can make to improve security.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author