A recent survey reported on at DarkReading touched on the dilemma of security versus productivity.  Citing an available report from Crossbeam Systems, this classic balancing game pits the desires of functionality and performance against the demands of ramifications of security in the enterprise.  500 network security, IT, and C-level executives at companies worldwide were surveyed for the report.  And the findings indiceate that while security remains a priority, it is a common situation that features elements of security are withheld in order to preserve performance across technology environments.

“Organizations are keeping their firewall, IDS, network access control, and IPSec functions turned on, but they are shutting off application control, user identification control, and some anti-malware features. In next-generation firewall products, for instance, 91 percent are using stateful firewall features; 73 percent, NAT; 71 percent, IPsec; and 65 percent, IDS/IPS. Only 29 percent had deployed the anti-malware functions in these next-generation firewalls; 29 percent, user ID control; 33 percent, application control; 34 percent, antivirus; and 45 percent, Web filtering.”

Another interesting point within the report was the mistrust in security vendor performance metrics, followed by a quoted greater than 60 percent rate of incidents of unplanned additional hardware purchasing due to differences between claims and actual requirements.

“More than 93 percent of the survey respondents don’t trust the performance metrics that security hardware vendors provide on their data sheets, and 58 percent say they don’t trust the performance metrics themselves. More than 60 percent say they had to purchase additional hardware to make up for unmet claims by security hardware vendors.”

Real world testing and validation on the customer side is an additional field that was reported to be in deficiency.   This is hardly surprising considering the evolving technology base and demands.

One current example where this type of testing and validation lurk in the background can be found in the news surrounding T-Mobile delivering Android handsets with Good Technology enterprise device management platform.  This is certainly a welcome development.  It provides a base of security and management and allows for a much wider range of implementing mobile device policies.  However, there are reports and testimonials of varying end user experiences using these management tools, built-in encryption, and policies that have the potential of jeopardizing the widespread implementation and adoption of these technologies.

I am quite sure T-Mobile is addressing the proper validation and testing of the technology onto their handsets, and therein lies the example.  As the first story indicates, there is often a rush to implement the most promising technology, based on features, cost, and so forth.  This is particularly true in this world of expanding mobility.

Implementing proper security and management technology into an enterprise environment requires a thorough study and understanding of what the user experience becomes.  Understand the base, understand the technology, and know the scale of advantages vs compromise for your specific environment.

All this requires the boldness to question vendor claims and the underlying knowledge that all environments are not the same and apply those strategic points for the best success in implementing new security technology into your environment.