Balancing Access, Security And Operational Continuity

Posted by Craig Davies, Forbes Councils Member | 1 day ago | /innovation, Innovation, standard, technology | Views: 18


By Craig Davies, Chief Information Security Officer, Gathid.

The role of a chief information security officer (CISO) is a balancing act—ensuring operational continuity while enforcing stringent access controls. This challenge is compounded by legacy systems, evolving compliance requirements and business processes that often prioritize convenience over security.

The key question every CISO must ask is, “Are we protecting our data in a way that aligns with business objectives, or are we just enforcing restrictions for security’s sake?” The best security is seamless—transparent to users yet robust enough to protect sensitive data. However, too often, security measures create unnecessary barriers, leading to workarounds that can ultimately increase risk.

Security Versus Productivity: The Unspoken Trade-Off

Some industries require stringent access controls—financial systems, healthcare records and personal data repositories must be safeguarded at all costs. Yet, in many cases, organizations apply security measures indiscriminately, making everyday business tasks unnecessarily difficult.

Consider this common scenario: A business invests in a highly secure financial system and sets stringent role-based access controls alongside MFA. The financial data contained within the system is safe and secure.

There’s just one problem: The reporting functionality of the financial system is woeful. It’s not fit for purpose at all. As a result, employees frequently export sensitive data to spreadsheets for further analysis. The intent is not malicious; they are simply trying to do their jobs more efficiently.

However, each time data is removed from a secure system, the carefully designed access controls become irrelevant. Once in an Excel file, who has access to the data? Where is the data stored? How is it shared? The security perimeter collapses, and the risk increases exponentially.

This is where CISOs need to take a step back. Is the real issue one of access control or is it a business process problem? If the reporting functionality of the financial system is inadequate, should security teams focus on restricting exports—or work with the business to provide a better reporting solution? A CISO’s role is not just to enforce controls but to question the root cause of security gaps and collaborate on smarter solutions.

The Problem With Legacy Systems

Many organizations operate on aging infrastructure that was never designed to support modern security and access governance requirements. Enterprise resource planning (ERP), logistics and financial reporting systems can be decades old but still function effectively within the business. Upgrading or replacing them entirely may not be feasible due to cost, complexity or business disruption.

Security teams often see these legacy environments as problems to be solved by migration to modern platforms. However, CISOs must recognize that in many cases, businesses will continue relying on legacy systems for years.

The challenge is not to force a full-scale upgrade but to enhance security controls around existing processes. This requires creative solutions, such as using knowledge graphs and digital twins to monitor access patterns and detect anomalies rather than enforcing blanket restrictions that disrupt productive, efficient workflows.

Rethinking Access Controls: Working Backward From The Outcome

Rather than defaulting to more restrictions, CISOs must work backward—starting with the business outcome and identifying the best way to secure it. When employees download data from a CRM system, for instance, the immediate reaction may be to block exports entirely. But what if exporting customer records is a legitimate business requirement? The real question should be, “Are we ensuring that exported data remains protected?”

Modern identity governance should focus not just on access controls but on context-aware security. Instead of a one-size-fits-all approach, CISOs should look at:

• Dynamic Access Policies: Adjusting permissions based on context, such as location, role and device trust levels

• Regular Monitoring And Anomaly Detection: Identifying when data movements deviate from expected patterns

• Encryption And Data Loss Prevention (DLP): Ensuring that exported data remains secure, even outside core systems

Rather than implementing rigid rules that users will inevitably work around, security leaders should create systems that adapt to business needs while maintaining necessary safeguards.

The CISO’s Role: More Than Just Gatekeeping

Security should be an enabler, not an obstacle. CISOs are often perceived as the ones who say “no,” but the real goal of any effective CISO is to help businesses achieve their objectives securely. If employees are bypassing security controls, the problem may not be that they are careless—it may be that the security measures in place don’t align with how they need to work.

That’s why the best CISOs engage directly with business teams, asking key questions:

• Why do we do things this way? Many risky processes exist simply because “that’s how it’s always been done.”

• What is the real risk? Are we truly dealing with a security issue, or is it a process inefficiency masquerading as one?

• Are we securing the right things? If exporting financial data is necessary, are we protecting the exported files, not just the database?

Finding The Balance

The CISO’s dilemma is not about choosing between security and business continuity—it’s about ensuring both can coexist. The best security strategies are those that integrate seamlessly into business operations, making security transparent and effective without hindering productivity.

By shifting the conversation from control to collaboration, CISOs can build security frameworks that work with business needs rather than against them. Whether leveraging new technologies like knowledge graphs and digital twins to provide deeper visibility or rethinking access governance policies, the key is to create a security posture that is both strong and adaptable.

After all, security that prevents people from doing their jobs isn’t security at all—it’s just another obstacle to be worked around.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?



Forbes

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *