CISO Survey: End Users See Security as a Hurdle to Innovation | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

CISO Survey: End Users See Security as a Hurdle to Innovation

October 23, 2017
by Heather Landi
| Reprints

Traditional approaches to security are leading to frustrated users and strained relationships between workers and IT departments, according to the findings of a survey of chief information security officers (CISOs). About three-fourths (74 percent) of CISOs say end users are frustrated that security disrupts productivity and 81 percent say end users see corporate security policies as a hurdle to innovation.

The findings are from a CISO survey conducted by Bromium, Inc., a Cupertino, Calif.-based security software company. The research, based on a survey of 500 CISOs from large enterprises in the US (200), UK (200) and Germany (100), is part of a wider report, called “The CISOs Dilemma: Security Versus Productivity,” on the role of the end user in cybersecurity.

The research revealed most security teams utilise a ‘prohibition approach’—i.e. restricting user access to websites and applications—a tactic which is hampering productivity and innovation while creating major frustration for users.  

Key findings from the survey include:

  • 88 percent of enterprises prohibit users from using websites and applications due to security concerns; with 94 percent investing in web proxy services to restrict what users can and can’t access
  • Unsurprisingly, these restrictions negatively impacts user experience: 74 percent of CISOs said users have expressed frustration that security is preventing them from doing their job and 81 percent said that users see security as a hurdle to innovation 
  • 77 percent of CISOs feel stuck trying to keep the organization secure while enabling innovation
  • Worryingly, security could also be impacting customer’s relationships and deals, as CISOs report that they get complaints at least twice a week that work has been held up by over-zealous security tools
  •  As a result, IT help desks are spending an average of 572 hours a year responding to user requests and complaints regarding access to websites

All this frustration is creating an uneasy relationship between IT, security and the user, according to the report authors. Seventy-one percent of CISO respondents said that they are being made to feel like the bad guys, because they have to say ‘no’ to users requesting access to restricted content.

“At a time when competition is fierce, the risk of falling behind and being less productive is as big a risk to an enterprise as cyberattacks. Security has to enable innovation by design, not act as a barrier to progress. Sadly, traditional approaches to security are leading to frustrated users, unhappy CISOs and strained relationships between workers and IT departments—all of which stifles business development, innovation and growth,” Ian Pratt, president and co-founder of Bromium, said in a statement. “This is unacceptable in a world where time to market is a vital driver for business success. We need to put an end to this catch-22 between security, productivity and innovation—things need to change.”

At the same time, 99 percent of CISOs surveyed believe end users are the last line of defense against hackers and virtually every CISO believes that user education, policies and procedures are essential to ensuring employees understand their role in keeping the business secure.

The survey also found that 94 percent of CISOs have pushed for increased investment in user education following recent headlines around phishing and ransomware.

However, this education, alongside strict policies and procedures and restricted access to websites and applications, is leaving employees feeling exasperated. In fact, 74 percent of CISOs told us that employees in their organization had already expressed frustration at the way these policies were hampering their productivity.

To calculate the cost of employee security training and education, the researchers asked CISOs how much time employees are spending on this in their organization. The report found that the average employee now spends 7 hours per year in security training and learning processes. For an organization that employs 2,000 people this equates to a cost of $290,033 in terms of lost productivity.

The report authors contend that the survey findings suggest enterprises need a new approach to security.  With revenue, reputations and share price on the line, those who look to new approaches to security will not only protect the business, but have the competitive advantage.

The report suggests that application isolation puts the activities most often targeted by cybercriminals—downloading files, using applications, browsing the internet—into micro virtual machines. When these activities are initiated, the network is protected because malware is trapped inside the container.


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Advocate Aurora Health, Foxconn Plan Employee Wellness, “Smart City,” and Precision Medicine Collaboration

Wisconsin-based Advocate Aurora Health is partnering with Foxconn Health Technology Business Group, a Taiwanese company, to develop new technology-driven healthcare services and tools.

Healthcare Data Breach Costs Remain Highest at $408 Per Record

The cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year, as the healthcare industry also continues to incur the highest cost for data breaches compared to any other industry, according to a new study from IBM Security and the Ponemon Institute.

Morris Leaves ONC to Lead VA Office of Electronic Health Record Modernization

Genevieve Morris, who has been detailed to the U.S. Department of Veterans Affairs (VA) from her position as the principal deputy national coordinator for the Department of Health and Human Services, will move over full time to lead the newly establishment VA Office of Electronic Health Record Modernization.

Cedars-Sinai Accelerator Program Presents Fourth Class of Startups

The Cedars-Sinai Accelerator, a program that helps entrepreneurs bring their innovative technology products to market, has brought in nine more health tech startups as part of its fourth class.

DirectTrust Adds Five Board Members

DirectTrust, a nonprofit organization that support health information exchange, announced the appointment of five new executives to its board of directors.

Analysis: Many States Continue to Have Restrictive Telemedicine Policies

State Medicaid programs are evolving to accelerate the adoption of telemedicine models, this evolution is occurring more quickly in some states than others, according to a recent analysis by Manatt Health.