Access is a Right, not a Privilege
Below are my own reflections on a year of changing our cyber security posture, and shifting from something that was intellectually comforting and familiar (can't understate the risks of the familiar), to something that feels right.
Many cybersecurity experts have built their careers on "zero trust" principles, or at least these methodologies by another name, I was one of them. Access to systems is earned, controlled, and heavily monitored; it is a privilege earned over time and a risk. Over time, this approach has become so pervasive that it is treated as an unspoken rule; if you work for an organisation, your device, your software, and your online behaviour must be monitored and restricted for the greater good. Yet, when you take a step back and view things from the human perspective, this model can feel limiting, invasive, and counterproductive to real innovation.
At Yopla, our cyber journey began as an agnostic, objective exercise to find a better way, one that empowers people instead of restricting them. Our perspective evolved when confronted with the realisation that the "Big Brother" IT approach often works against the goals it sets out to achieve. This is the story of how we came to believe that access is a right, not a privilege, and how weaving technology differently into people's daily lives ultimately benefits both the individual and the organisation.
Listening to People
We quickly learned that the most sophisticated security system means little if the people using it feel restricted and spied upon. One of our Co Founders, Eve, shared that her work laptop was not just a tool but a vital part of her day, much like a desk, and challenged us to do better, to rethink what the space means to the individual and how to have a relationship between the organisation that the individual that "feels right". In short, the idea that someone might dictate how she organised her virtual workspace felt overbearing. If we want to truly empower our team, we would need to avoid telling them how to work and instead build trust.
The team where also open in sharing that, reflecting common feedback and our own insights through audit, cyber security was felt to be a justification for "spying on" people, rather than protecting data and systems. So how should we approach the problem of protecting "our company stuff", while putting the individual first, and not just their right to personal privacy, but to pay respect to their feelings.
Reimagining Access as a Right
Our first step was rethinking access. Instead of making access something one earns bit by bit, we needed to see it as a basic right within a safe framework.
I was worried about this as we approached the problem, it was the norm for me to catalogue every action and inaction, every piece of data in order to categorise, simulate and approve/disapprove. Somehow, cyber security trust had become almost unaffordably expensive."
But it felt right, after over a decade of cyber security we decided to start by placing trust in our people and explaining the reasons behind our approach to risk, and our policies, we would avoid a model of restrictions and suspicions. We would need to establish clear guidelines that distinguish personal from professional data, trusting individuals to respect this boundary without heavy handed oversight; but that's just being responsible.
Accepting Reality: Separation of Personal and Professional Digital Lives
After shaking my head out about trust, the next thing I had to face up to was that people did in fact have personal lives, and they didn't want the company involved.
Acknowledging that our everyday work, personal and professional lives often blend was critical. So we (me a bit more slowly) accepted this reality and decided to set policies that work with it, rather than against it. By clearly defining what counts as work data versus personal data (in a data hierarchy policy), we allow our team to use their device freely, confident that they are not compromising the company. Our focus shifted from how to enforce strict controls on every action, to creating an environment where people understand and value the importance of protection sensitive information.
A Move to Web First: If It's not On the Computer....
By this stage I had started to grasp what we going on, questions like "why do we have data on peoples devices at all", "can we avoid that", "doesn't this just make everything easier?", and "surely not" where whirring in my mind.
A significant change for us was migrating to Google Workspace (Microsoft Online and others offer similar services). Using Google accounts as our single sign on simplified how our team accessed our various tools, and with a a single set of credentials, everyone could lo into work services without juggling multiple passwords. This move was especially liberating because Google's web first, meaning most of our data is stored and managed in the cloud, this has several benefits:
- Single Sign On: Our team access all the necessary services with one Google account (think logging in to finance, CRM etc. with the same account) reducing the hassle of remembering many logins and the risks that go with that.
- No Local File Worries: Because our focus is on webs services, we don't need to worry about files stored on individual devices. This reduces the risk of data loss and simplifies recovery if something goes wrong.
- Streamlined Management: Onboarding a new team member of handling someone leaving becomes easier. With integrated account provision (Single Sign On) account provisioning and deactivation are swift, keeping processes smooth and efficient.
- Clean Separation of Data: By relying on cloud services we ensure that personal and professional data remain distinct, this is further enforced in our hardware selection. Employee's can use their devices for both work and personal tasks without fear of overlap or intrusion.
But our move to Google wasn't just about technology. It was about choosing a philosophy that matched our own, one that valued simplicity transparency and user empowerment. Google's approach supports our belief that access should be a right, allowing our team the freedom to work in ways that suit them best while safeguarding the organisations data.
Moving Away From Windows
This was a tough one for me, I'm a life long Windows fan and still a major advocate for the powers of Microsofts incredible eco system, but ultimately Microsoft were a victim of our strict adherence to achieving our strategy and goals within.
We considered various operating systems as part of this strategy, including Windows, Linux (yes, really!) and MacOS, to see which best supported our approach. our intention was not to chase a brand name but to find a platform that serves both personal and professional needs in a simple and intuitive way.
While Windows offered widespread familiarity, it often required rigid controls and lots of oversight. Linux with it's flexibility, typically demanded technical expertise and customisation to make everyday use easier. In contrast, Apple's macOS provided an intuitive interface and built in privacy features that allowed us to seamlessly separate personal and professional data on the same devices, this aligned perfectly with our goals.
It's of note that Apple's integrated hardware and software ecosystem stood out not only for its ease of user but also for its longevity and environmental consideration. Mac computers robust construction and long life is well covered, but what this meant for us was fewer replacements, less waste, a smaller footprint and a happier more productive team. This combination of intuitive design, strong security, and long lasting hardware with an environmental ambition made it the best fit for our goals.
Embracing a Friendly, Open Culture
Throughout this journey we worked hard to keep focus on the human at the other side of the keyboard and screen, introducing only light weight management tools that quietly work in the background.
They ensure that essential software is up to date and devices are encrypted, secure and compliant. We implemented strong password and biometric policies, two factor authentication and did it all in a clear, understandable way, never turning security into a guessing game or a maze of confusing instructions.
But What About Me?
Oh no, everything I thought was right doesn't work for what we want to do now...What do I have to give?
As I navigated this transformation, I realised that my deep expertise, honed over many years in cybers security, was steering me towards solutions that no longer aligned perfectly with our evolving strategy. This realisation was both humbling (worrisome), and liberating. It doesn't negate the value of what I've learned and practiced, those experiences remain strong, valuable building blocks of my professional journey. However they simply don't fit within the framework and goals we've set at Yopla.
In this context, the strategies and tactics that once served me well are not the right tools for our mission; they may be incredibly effective elsewhere, but here they needed to give way to approaches that prioritise trust, simplicity and the human experience. This personal picot underscores a key element of Yopla's approach to all things tech: we put the people and the preference of each company first. Rather than facing a one size fits all solution, we seek out strategies and technologies that work best for the individuals and culture they serve.
Accepting that change was necessary not only allowed me to grow, but also reinforce our commitment to finding solutions tailored to our team's needs. It's a reminder that expertise is adaptable, and sometimes, the wisest choice is to step aside form familiar methods that no longer serve the mission, embracing new paths that truly empower.
The Road Ahead
Today, our IT at Yopla is relaxed and secure. We trust out people and equip them with the tools that help rather than hinder. By changing our approach from "access is a privilege", to "access is a right", and objectively assessing vendors and suppliers to best align with this, we have made access a right. This shift no only protects sensitive data, but also empowers individuals to be creative an productive, but critically preservers their ability to self determine, a fundament of empowerment.
I hope that my story shows that when organisations prioritise trust and simplicity over control and complexity, you can create a culture where security feel natural rather than oppressive. We are proud of this shift, and we believe it is a lesson worth sharing. Access is not something to be hoarded and earned. It is a right, that, when granted responsibly, can lead to a healthier, more innovative workplace for everyone.
Now this is a journey we're still on, and we have missteps along the way, but keeping our focus on the goal allows us to stay on track, and when we fall off a little, shake off, refresh and correct.
Here's hoping this is the start of your journey to digital enablement.
