Security Tradeoffs

Bruce Schneier wrote an excellent summary the other day about the trend in Corporate IT to relax security standards in favor of convenience and flexibility when it comes to new consumer technology. He points out that cloud computing is making this easier, by taking the security burden off of individual devices and operating systems. But the main point he makes at the end is really key:

Security is always a tradeoff, and security decisions are often made for non-security reasons... Corporations want their employees to be able to work from anywhere, and they're going to have loosened control over the tools they allow in order to get it.

For me, this goes back to the idea of a Culture of Security. While I was the IT manager for a small business, the level of compromise I was willing to make regarding devices and security changed depending on my assessment of each individual's "IT savvy." Of course I was totally content to let the programmer use whatever hard- and software he pleased, while the call center reps. were limited to a strictly controlled terminal environment. But my true preference would have been to let everyone use whatever they were comfortable with.

Slowly, we're getting there. More and more hosted services that are platform agnostic and do the security work for you are making the dream of the hottest new toys in the workplace a reality. But as Schneier says, "we'll muddle through, as usual." Invest in a culture of security, and find solutions that remove the burden of security from the users, and we'll reach a corporate gadget utopia in no time.