The innovation trade-off: Are tight cybersecurity protocols holding organizations back?
While robust cybersecurity frameworks are vital for sustainable operations, misaligned strategies can stifle innovation, collaboration, and productivity. Experts discuss how to navigate this challenge.
News
- Customer Centricity Summit & Awards Explores Brand-Customer Relationships in KSA
- GITEX Global 2024 to Showcase Global Innovation, Investment, and Cybersecurity Trends
- The Perfectly Imperfect Start of Disruptive Innovations
- GovTech Conclave to Explore Cutting-Edge Solutions for Modern Governance
- New Report Shows Cautious Optimism Among Enterprises Adopting AI
- Majority of CISOs Feel Their Organizations are Unprepared for Cybersecurity Regulations
Cybersecurity is integral to the success and sustainability of any business. A company’s ability to maintain and build customer trust and its brand reputation is contingent upon its ability to protect its data.
A study by IDC found that 80% of consumers in developed nations will defect from a business if their information is compromised in a security breach.
The latest IT outage caused by CrowdStrike proves this. The outage was estimated to cost Fortune 500 companies $5.4 billion.
Chris Bates, CISO, SandboxAQ, says this incident highlights how major SaaS companies are one event away from having a massive impact on customers, adding that the company’s fate will be on how transparent they are around the root cause and the correct actions they are taking to stop something like this from happening again.
Not only are companies accurately aware that robust protocols are essential for ensuring the integrity of sensitive information, but governments in the Middle East have also taken notice. For example, Dubai’s Cyber Security Strategy underlines the importance of building a secure and resilient cyberspace, demonstrating how a commitment to safeguarding information contributes to retaining, attracting, and maintaining customers.
Safety – But at What Cost?
While implementing cyber security defenses has become imperative for every organization, Morey Haber, Chief Security Advisor, BeyondTrust, warns that a delicate balance must be struck to avoid the pitfalls of over-protectionism, which can stifle productivity and the overall functions of the business.
Cybersecurity programs that are not aligned with business needs can lead to implementing too restrictive and cumbersome controls. This will cause unneeded friction across the business units, slowing down execution and innovation.
At a certain point, business units will find ways to bypass security controls that are too restrictive because they are mainly incentivized to grow and innovate the business. “Once employees try to bypass security controls, this invalidates the program and greatly increases the company’s risk,” says Bates.
Providing examples, Haber recalls one instance when a financial institution’s overarching deployment of access controls led to significant bottlenecks in daily activities. “Employees found themselves unable to timely access necessary data, leading to long customer hold times and lower employee and customer satisfaction,” he says.
In a second scenario, Haber shares that a technology company’s rigid email filtering policy, initially intended to prevent phishing attacks by not allowing risky file format attachments, inadvertently blocked legitimate communications, impeding collaboration with legitimate external partners.
Khalil Yazbeck, Kingston Technology’s Business Development Manager for UAE, Kuwait, Qatar, and Oman, highlights how companies blocking USB ports to prevent data breaches make collaborating harder for employees. “If a development team cannot access certain software or data due to stringent security policies, it can slow the innovation process and delay project timelines.”
Experts say for these reasons, cybersecurity programs should measure part of their success by satisfying customers, business units, and employees.
Supporting Protection and Enabling Creativity
To avoid the bottlenecks caused by misaligned strategies, such as lost productivity and low morale, organizations must consider international best practices and ensure robust protection while allowing creativity to flourish.
Flexible Frameworks
Adopting a flexible security policy framework, starting a risk-based approach, and de-emphasizing security mechanisms on low-risk assets, data, and access will avoid impeding workflows. “It’s a simple approach of Trust but Verify,” Haber says.
Leveraging Modern Security Technologies
Leveraging modern security technologies for threat detection and automated response systems is critical. These tools can provide robust protection with minimal human intervention.
Risk Management
Adopting risk management frameworks, such as NIST 800-53 or ISO 27001, provides structured methodologies to address potential threats systematically. This serves as the cornerstone of a robust cybersecurity process, which balances the requirements of protection and innovation.
Agile Security Practices
Incorporating agile security practices that can adapt to the evolving needs of the business, with regular updates to security protocols and continuous monitoring to address new threats without stifling innovation, is critical. A good reference point is the NIS2 Directive, set to take effect this October, which aims to enhance the cybersecurity of critical infrastructure and services within the European Union. “It provides a framework companies can follow to balance security and operational efficiency,” says Yazbeck.
He adds that this directive is especially important for the UAE, given their economic relationship. The country is the EU’s largest export destination and investment partner in the Middle East and North Africa region. Last year, bilateral trade in goods reached $59.2 billion.
Cultivating a Security-conscious Workforce
It is important to note that such strategies would only be effective with the support of the people within them. Haber says that designing effective cybersecurity training programs requires a delicate balance between objectivity and flexibility, ensuring employees understand the importance of security policies without feeling restricted. A narrative-driven approach to transform abstract rules into vivid stories based on real-world case studies that resonate with employees as they help protect the organization.
For Bates, the most effective cybersecurity training for employees is positive, not punitive, and provides context. “It’s not only explaining the ‘what’, but the ‘why’,” he says. “Training shouldn’t be technical and should use analogies that the end users can relate to.”
By illustrating the consequences of negligence, employees can learn the risks to their businesses and themselves. “Such engagement explains policies and empowers individuals to act confidently within the policies and procedures developed for the organization,” adds Haber.
Continuous education is also critical to keep employees informed about the latest threats and best practices to build a security-first mindset, as such tools can lead to innovative solutions, says Yazbeck.
By integrating cybersecurity strategies and adhering to the NIS2 Directive, companies can create a balanced environment where security and innovation coexist, driving business success and resilience.
At the end of the day, security shouldn’t be a gatekeeper but a partner in the innovation process.
Organizations must foster a data-driven culture that values inclusivity, quality, agility, and compliance, ensuring that data is embedded as a key element of their identity and strategic operations. At the Velocity—Data & Analytics Summit on November 12 in Riyadh, discussions will center on balancing security with transparency in data governance. Click here to register.