by Hamish Barwick

Security needs to become easier for users: Novartis CIO

Nov 11, 20113 mins
Business ContinuitySecurity

The IT industry must take measures to make security easier and faster for employees who are not computer savvy says Novartis Australia chief information officer, Ruth Marshall.

Speaking at the Australian Information Security Conference (AISA) 2011, she said the pharmaceutical company employed a mobile workforce who were struggling to remember multiple passwords and were being slowed down by security updates which could take 15 minutes to load when they logged in to the company’s virtual private network (VPN).

In-depth: Information security 2011 Research Report.

“Sixty per cent of my 1000-strong workforce is out in the field and they only come to the office twice a year for meetings so the VPN is essential for them,” Marshall said.

Many staff members, who are not “computer people”, neglected to click the send secure button on emails and forgot multiple passwords.

“Even if they did use the send secure email function, someone can just forward the email once they have received it and then it could go anywhere,” she said.

Another problem faced by Novartis was that staff chose not to use the company’s corporate encrypted e-meeting tools as, according to staff feedback, Skype was “way cooler”.

The same applied to an internal social networking platform developed by the company called Yammer with staff choosing to use public social networking sites Facebook and Twitter instead.

“No matter how many times we tell staff that we’re not monitoring their conversations, they are never going to be as free with their opinions on the internal Yammer tool as they would be with Facebook,” she said.

“The more our community gets distributed and their data gets put into the Cloud, the harder it is for us to be sure that we are managing security, traceability and controls.”

While Marshall has reminded staff to be more disciplined and to not do security updates while trying to load reports, she conceded that many were not disciplined when it came to security.

“People are not going to change their behaviour in order to make the company more secure so we need to look at security environments,” she said.

To overcome these problems, Marshall issued a challenge to conference delegates to make security more efficient and usable for people.

“Useability is the biggest challenge we face because we can’t turn the clock back to stop Cloud computing or bring-your-own-devices [BYOD]. We need to stop security being a barrier for people who are trying to do their jobs; we need it to be transparent and useable.”

According to Marshall, email encryption should become a default rather than a opt in option while virus scans needed to be easier and quicker.

“People cannot be slowed down anymore by a 15-minute wait while their machine is being crunched through,” she said.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow CIO Australia on Twitter: @CIO_Australia