By John P. Mello Jr.
Many workers and managers in the United States and the United Kingdom place a higher value on trust in the workplace over financial compensation, according to new research released Tuesday.
A survey of 500 workers and managers in the U.S. and U.K. conducted by Osterman Research for cybersecurity firm Cerby found that nearly half of the participants (47%) said they’d take a 20% pay cut in return for higher trust by their employer.
Other characteristics researchers found highly prized by employees included flexibility (48%), autonomy (42%), and being able to choose the applications they need to work effectively (39%).
The State of Employee Trust Report by Osterman and Cerby examines the impact of zero-trust principles that many companies are rapidly adopting as a solution to their cybersecurity needs resulting from the use of “unmanageable applications” by workers and managers.
“Applications are intimately tied to employees’ levels of engagement and empowerment. If employers attempt to block those applications, which they often do, it negatively impacts trust,” observed Matt Chiodi, chief trust officer at Cerby, a zero-trust architecture provider for unmanageable applications based in San Francisco.
“Sixty percent of employees said that if an application they want is blocked, it negatively affects how they felt about a company,” Chiodi told TechNewsWorld.
“The answer is not for employers to block these apps, but to find solutions that allow these unmanageable apps to be managed,” he said.
Fretting Over Control
Security teams frown on the use of unmanageable applications, also known as shadow IT, for many reasons. “Employees come and go. An organization may end up with thousands of unused credentials accessing its resources,” explained Szilveszter Szebeni, CISO and the co-founder of Tresorit, an email encryption-based security solutions company in Zurich.
“With a mountain of dormant accesses, hackers are bound to get into a few that would go unnoticed and pave the way to infiltrate the organization via lateral movement,” Szebeni told TechNewsWorld.
Unmanageable applications can endanger an organization because it has no control over the security practices imposed on the development and management of the programs, noted John Yun, vice president of product strategy at ColorTokens, a provider of autonomous zero-trust cybersecurity solutions in San Jose, Calif.
“Also, the organization has no oversight in the security update requirements of the applications,” Yun told TechNewsWorld.
Without any control over the application, organizations can’t trust it with access to their environments, maintained Mike Parkin, a senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation in Tel Aviv, Israel.
“Letting employees choose the best tool for the job, especially when it’s running on their own equipment, is welcome,” Parkin told TechNewsWorld.
However, he asserted, “It does require some compromise with the organization putting in the effort to vet the chosen applications and employees willing to abstain when their preferred app isn’t on the approved list.”
Roger Grimes, a data-driven defense evangelist at KnowBe4, a security awareness training provider in Clearwater, Fla., took a harder line on the issue.
“It’s up to the cybersecurity risk managers of an organization to determine if the risks incurred are worth the benefits,” Grimes told TechNewsWorld. “You don’t want the average end user deciding what is or isn’t risky for the organization any more than you want the average passenger flying an airplane.”
Worth the Risk?
Applications are considered unmanageable because they often don’t support common security measures, such as single sign-on and automatically adding or removing users, explained Chiodi.
“That presents a risk to a business, but business users still need those applications,” he said. “Businesses need to find ways to bring those applications to a point where they can be managed, so those risks are reduced.”
Labeling applications unmanageable is misleading, observed Marcus Smiley, CEO of Epoch Concepts, an IT solutions provider in Littleton, Colo.
“They are built without support for modern, industry security standards, which makes them harder to monitor and secure,” Smiley told TechNewsWorld, “but while this means they can’t be managed like other applications, they can be managed in different ways.”
“When unmanageable applications are being used, there is always some reason why,” he said. “Many organizations need better communication between IT and employees to clarify company policies and the reasons behind them.”
“IT should also provide channels to request applications and be proactive in providing more secure alternatives to problematic ones,” he added.
Smiley maintained that in some situations, allowing unmanageable applications with oversight is appropriate to ensure that best-identity-management practices and more-secure configurations are implemented instead of less secure ones.
“Ultimately, there’s no such thing as a risk-free cybersecurity strategy,” he noted. “Every security program — even those that fall under zero trust — includes trade-offs between mission-critical business functionality, productivity, and risk.”
Balancing Act Needed
The safest approach is to have any application reviewed prior to adoption by a person or team with cybersecurity expertise to identify any issues that may arise from the software or service’s use, ensure the legal terms are acceptable, as well as plan for ongoing maintenance, recommended Chris Clements, vice president of solutions architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing company in Scottsdale, Ariz.
“Unfortunately, many organizations do not have the expertise or resources to properly evaluate these risks, resulting in the process not occurring at all, or just as bad, dragging on for weeks or months, which harms employee morale and productivity,” Clements told TechNewsWorld.
“Balancing cybersecurity risk with employee needs is a practice that organizations need to take more seriously,” he said. “Allowing a Wild West approach will unavoidably introduce cybersecurity risks. But on the other hand, being overly stringent can lead to choosing product or service solutions that are too heavily compromised in usability and user convenience or simply denying approval altogether.”
“These can cause frustration and lead personnel to leave the organization or actively subvert security controls,” he continued.
Misuse of zero-trust principles can also add to that frustration. “Zero trust is for data, access, applications, and services,” Chiodi argued. “But when it comes to building trust on the human side, companies need to be aiming for high trust. The two are not mutually exclusive. It is possible, but it’s going to take a change in how employers use security controls.”
“By giving employees technology options, companies can show that they trust their employees to make technology decisions that help them do their jobs better,” added Karen Walsh, principal at Allegro Solutions, a cybersecurity consulting company in West Hartford, Conn.
“By reinforcing this with education around the ‘assume compromise’ mentality,” Walsh told TechNewsWorld, “they build a stronger relationship with their workforce members.”