First of all, minimise the productivity impact of security by making it as transparent as possible to the end-user. Ideally, they won't have to use any extra commands, no pop ups, no extra screens to go through in order to operate securely. And if the action requested by the user is allowed, just let it happen.
A good example is the Windows User Access Control slider. If users are given the option, they will modify the security level to avoid having to respond to an extra prompt. In other words, if you are going to give them the authority to do certain actions after a prompt, why trouble them with the extra steps?
Whereas security stops people from doing things because of the risk of, for example - data loss, these same controls can also enforce best practice. In addition to controlling actions because of a security risk, we can encourage people to refrain from doing things that they should not do because of the underlying operational risk. And with proper controls, we can do better than "Are you really sure you want to" pop-ups that most are just click through anyway.
Also, not to be forgotten is the huge pool of information residing in the compliance logs from which, we can identify the patterns that could indicate security threats, but most importantly, see where security and other procedures - such as configurations of new systems - are taking a toll on productivity. Understanding these patterns can in turn help guide the company to better train the employees and simplify procedures as the basis of new best practices. Once those best practices are discovered, the right controls can then be used to ensure adherence.
The trade-off between productivity and security is dynamic. People - employees, partners and third-party associates - get access to what they need to do their jobs, and no more. They are not given the keys to the kingdom in the form of root access for servers or administrator rights on the desktop, which opens the door for both accidental and intentional error, but neither do they have to raise their hand every time they want access to data or to use critical applications they need to do their jobs.
Geoff Haggart, president, leads all international aspects of BeyondTrust, including customer relations and support, business development, operations and international revenue growth. Before joining BeyondTrust, Haggart served as senior vice president of international sales at Websense.
Sign up for CIO Asia eNewsletters.