Book a demo

Fortifying Productivity: Cracking the Code on Secure Productivity

In most organizations, security is only one goal among many.   

Employees have targets to reach, deadlines to meet, and a steady stream of tasks that require their immediate attention.   

 

You too have probably seen at least one article that tells you “How to boost your productivity” and have sat in a meeting discussing the targets to hit in the year to come.  

 

In today’s fast-paced world, the concept of productivity has evolved beyond simple efficiency and effectiveness. It has transformed into a widespread culture that permeates personal and professional lives alike.  

  

Productivity is a double-edged sword.   

  

Productivity can increase overall efficiency, encourage personal growth and raise employee engagement levels by setting clear expectations, offering recognition, and providing continuous feedback. But it can also compromise work quality by prioritizing output volume, worsen employee morale and decrease engagement by imposing constant pressure to perform, consequently leading to burnout.  

  

However, while productivity itself is not necessarily always a bad thing, a prominent productivity culture that is not integrated with security can have a certain implication for the security professionals, as well as the overall security posture of the organization.   

  

Are we the problem or are they the problem?  

  

The security versus productivity dilemma has been present in the public discourse for a while now, but the COVID-19 pandemic has brought it back into the centre of attention.  

 

When offices were under lockdown, many companies suddenly switched to remote working to maintain business continuity. This desire to sustain productivity clashed with voices of concern regarding safety and data security. With employees getting remote access to corporate networks and company data, IT professionals had to ensure that appropriate cybersecurity measures could protect all sensitive information.  

 

The risk of losing market competitiveness eclipsed most of the cybersecurity concerns at hand. Employees without access to critical information wouldn’t be able to do their jobs effectively, halting the company’s operations altogether. It thus became a balancing act. 

 

But what is even more interesting, the recent studies have shown: many employees view security measures as a hindrance and waste of time and are more worried about meeting deadlines than accidentally causing a security breach.   

 

In the HP Wolf Security Rebellions & Rejections report, it is noted that especially the younger demographic is willing to put productivity over security – nearly a third of workers (31%) between 18 and 24 years old admitted to trying to bypass corporate security policies to get the work done. 64% of this age group views essential security measures as a waste of time, and 39% were unsure or unaware of the security policies in place.   

 

What’s more, according to the Research carried out by Vanson Bourne, the educate-and-prohibit approach is not particularly effective, nor is it sustainable. It can easily lead to tension between employees and the security department.   

 

When employees’ primary role is not within security, and yet they are asked to take it under consideration in all they do and suddenly fully adopt this security mindset, it often hinders their productivity and creates high levels of frustration. Moreover, it often stands in direct opposition to the pressure and expectations of the immediate upper management, which expects results as fast as possible, creating an incentive to push security into the backseat.   

 

Even a double-factor authentication can quickly become annoying if an employee is required to login to several sites, multiple times a day. Login fatigue can result in login sharing, delegating tasks to others, figuring out a workaround, and even simply avoiding the work altogether, just to skip logging in. Complex login procedures stifle productivity and leave employees annoyed, with the feeling of wasted time and effort.   

 

Security often demands things to be done not in the quickest way, but in the right way – and if the management and the overall organizational culture values output above all else, it will motivate employees to simply ignore the security policies. It is therefore not completely reasonable to expect employees to stifle their professional growth by hindering their productivity in the name of security, especially if the organization does not have a united front on that matter and is sending mixed signals.  

 

Employees thus feel like their time is not respected, and the expectations they are working under are brushed aside. On the other side, the security teams also feel unappreciated and misunderstood – they are often ignored and forced to play the bad guy.   

 

Those two groups then can blame each other for hindering their performance, fuelling mutual aversion and unwillingness to cooperate, transforming an unfavourable situation into a true nightmare to navigate.  

 
According to Same Solutions, the list of things that most security departments want to have their employees do is the following: 

 

  1. Have a security mindset – have some level of interest in security, be willing to learn about key security issues and security resources, use those resources when needed, always have an appropriate level of awareness, and have a healthy level of suspicion  
  1. Protect the sites – wearing badges and not lending them to others, avoiding tailgating and opening the doors to strangers, hosting visitors properly, ensuring only approved access to sensitive areas, calling security if any of the above are out of place and reporting security gaps 
  1. Travel safelyresearching trips, following appropriate travel process and booking via appropriate channels, using approved accommodation and transport, keeping the security mindset on during the trip and knowing what to do in case of an incident occurring  
  1. Protect the information – keeping the desk clean, avoiding phishing scams and leaving any devices unattended, using strong passwords, avoiding talking loudly in public about sensitive matters, using privacy screens, and being aware of social engineering tactics   
  1. See something, say something – keeping a security emergency number on your phone, assuming that suspicious behaviour might be potentially dangerous, reporting incidents, security gaps, potential threats, lost devices and badges as soon as possible
     

The list goes on, but it might be beneficial to recognize two things. One: a list like this is certainly an important factor in keeping the organization secure. Two: it is also a long list, that, when followed to the letter, might add some stress and mental burden to a regular employee. The role of the employee is to follow this list diligently; perhaps security could make it as easy and comprehensible as possible, making sure that this list does not clash with any other expectations placed on the employees from elsewhere.
 

The predicament of misery

  

It seems that there are no easy solutions to this complex problem. Culture is a blurry concept, and to effectively change it, we must first ensure that all parts of the organization are unified in their approach. Changing only one part will lead to contradiction, which will lead to more frustration, which will result in weaker security.   

 

Productivity and security must find balance, and they cannot stand in opposition to one another. Messaging must be clear from all directions – sometimes it is okay to take longer to do your job to do it safely. It should not only come from the security team but from everywhere – this is what it means to make security everyone’s responsibility. Diligence should be genuinely valued and appreciated as much as productivity.  Quality should be as much in demand as quantity. 

 

At the same time, the security systems and procedures should strive to become more practical and user-friendly, to not to hinder employees. Only then security is truly adding value to the organization, and to achieve that, employee input is invaluable. This could lead to closer cooperation, preventing security from becoming siloed and detached from the rest of the organization.   

 

Maybe then we can finally answer the questions:

 

How do we make productivity more secure? And how security can best enable productivity? 

 

When both sides reach an understanding and adjust accordingly, perhaps then we will solve this predicament of misery.  

 

 

Sources: 

 

https://devicie.com/articles/security-versus-productivity-dilemma 

https://www.bromium.com/wp-content/uploads/2017/10/The-CISOs-Dilemma-Report-Bromium-October-2017.pdf 

https://allthingstalent.org/productivity-vs-security/2019/04/09/ 

https://www.securitymagazine.com/articles/96074-91-of-it-teams-feel-pressure-to-compromise-security  

https://docs.google.com/viewerng/viewer?url=https://threatresearch.ext.hp.com/wp-content/uploads/2021/05/BPS_Wolf-Security-Blurred-Lines-Report.pdf&hl=en_US  

https://venturebeat.com/security/report-password-fatigue-compromises-employee-productivity-security-and-well-being/ 

https://press.hp.com/content/dam/sites/garage-press/press/press-kits/2021/hp-wolf-security-rebellions-and-rejections/hp-wolf-security-report-rr-final.pdf  

 

Read more?

More blog posts

We can help you today

If you want to see what the Human Risks platform can do, for your company.  Contact us today

Contact us
Contact
Updates from the Human Risks Team

Get the latest updates on new and upcoming features in Human Risks

Subscribe to our newsletter

Product

Resources

Company

Legal Disclaimer

Data security

Privacy

Human Risks LinkedIn
Human Risks YouTube

© Human Risks 2022