During my work in many different IT projects, I experienced one topic, which was part of almost every single project. The discussion with IT staff about IT Security, in my eyes most of the IT staff highly underestimates the importance of IT-Security. IT-Staff always prefers comfort instead of Security. Therefore, the Security within a final Solution should always be reviewed through a non IT-Staff resource. I really do not mean this in a bad way… this is a simple fact… IT staff do not have the correct view on things in case of IT-Security, that’s is all! 🙂
Off course…there has to be a balance between security and comfort. It is not practicable to establish a huge amount of security features, which in the end will raise the effort for the IT-Staff to fulfil their daily job, but on the other hand, it is also unacceptable that almost no security is applied only to make the daily job of the IT-Staff easier.
I already experienced both cases; in one case the IT-Security Team forced us to establish a process, that only multiple people from the IT-Staff were able to access the System for administration (for example with the four or six eyes principle… split the password to multiple people). In the end, this leaded into a bigger amount of effort to fulfil basic administrations. Because the IT-Security Team did not consider the amount of changes which needed to be applied to that system. So for every single administration, two or three people were forced to work on this change, and these people were not able to do anything else during that time. Then we reached the point, were changes only could be applied during non-working hours, and at that point, this applied security process was already not practicable anymore… This process sounds good or looks good in some kind of Security concept but in real life, this process is not justifiable or practicable.
In the next case, the password of a very important administration account was stored in an unencrypted text file, because it was necessary to access these passwords for some automated scripts, which will use this administration account. Off course, you need to use these credentials to fulfil your job, but make sure these credentials cannot be accesses through third person people! Establish Security!
Every single company should have a Risk-Management, so as soon as the IT-Department reaches a point were daily business and security is in conflict, the Risk Management or IT Security Management should kick in, it is impossible to avoid every single Risk within a company, but there are many ways to handle risks.
So from that perspective on, I definitely choose IT-Security before comfort.