Sometimes I am asked for my opinion on whether or not computer users should be allowed to do risky things such as run old software, use certain cryptographic algorithms, or have root on their workstations.
My answer is almost always, “Yes”.
Why we should allow risky things
Governments could require that cars never exceed the posted speed limit, but they don’t. Why not?
Because sometimes, people need to speed.
A woman may be having a baby or a man may have cut his leg with a chainsaw. These people need to get to the hospital fast and someone has to take risks and break the speed limit to get them there.
Reasonable groups allow people to break the rules. In fact, rules are made to be broken.
Security compliance professionals should acknowledge that most people are good, reasonable and rational.
Sure, we can technically restrict the things they may do with computers. It’s easy to do that, but these restrictions limit them and the business in ways we may not fully understand and may ultimately cause harm.
These restrictions may also make the business less competitive and a less desirable place to work.
Organizations should have reasonable security policies, and allow people to break the rules when they have a good reason to do so.
If you catch someone breaking the rules without good cause, give them a warning. If they do it again, formally record the violation. If the bad behavior continues, then technically restrict them and send them to training.
And after some time has passed, give the person a second chance to show that they have learned to use good judgment when taking risks.
This will make your business more competitive and a better place to work.