This fundamental tradeoff between security, usability, and cost is critical. Yes, it is possible to have both security and usability, but at a cost, in terms of money, time and personnel. While making something both cost efficient and usable, or even making something secure and cost-efficient may not be very hard, it is however more difficult and time consuming to make something both secure and usable. This takes a lot of effort and thinking because security takes planning and resources.
As a system administrator, usability is at the top of their list. However, as a security administrator, security will be on top of their list – no surprise here really.
What if I tell you that the two job roles are orthogonal? What gets a sys admin bouquets, will get a security admin, brickbats and vice versa.
Oh and when we say “cheap” we mean in terms of effort – either by the vendor or by the user.
Security administrators face some interesting tradeoffs. Fundamentally, the choice to be made is between a system that is secure and usable, one that is secure and cheap or one that is cheap and usable. Unfortunately, we cannot have everything. The best practice is not to make the same person responsible for both security and system administration. The goals of those two tasks are far too often in conflict to make this a position that someone can become successful at.