As new forms of technology bring accessibility to the hands of individuals, employee monitoring becomes crucial in the development of security risk management objectives. Andrew Walls, managing vice president at Gartner and conference chairman of the recent Gartner Security & Risk Management Summit, explains how fundamentally when overseeing employees you need to monitor and receive feedback while providing full transparency in order to maintain consistency and coherence in the enterprise.
There’s value in monitoring structures despite the invasive notion people may have towards it. Some of the most popular things being monitored are phone calls, physical actions via video, endpoint and network use and location/motion tracking.
Gartner predicts that through 2018, organizations that monitor at least three key employee security behaviors will recognize 50% improved employee security performance compared with organizations that do not. Reasons why monitoring is implemented within the enterprise are:
- Performance – the primary objective. We monitor employees to ensure a certain level of performance in the workplace. Organizations want to monitor behavior in terms of moving business objectives as a way to correct poor performing units and reward high performing units.
- Security – Allows for breach containment, early mitigation of risky behaviors and increased accuracy in planning.
- Reputation – Assess the reputation and image associated with certain entities via actions like social media monitoring and perusing websites to see what people are saying for proactive containment of PR issues.
- Discover/Curiosity – The realm of big data. Monitor everything to find new ways to achieve productivity. Enables new opportunities/pathways.
As invaluable as this can all be, is it ethical? Mr. Walls explained that it’s all about the jurisdiction you’re in because that trumps all – there are things that can be done in the U.S. that are prohibited in Canada or elsewhere.
“When looking at laws, we see that they’re not prescriptive as they tell you what you cannot do and what you have to do in terms of consent, but they don’t bar you from doing anything specific as long as you go through the right hoops for approval,” Walls says. “Since the laws don’t provide sufficient guidance, and are way behind of the advancements in technology, it becomes an ethical choice.”
Within an organization, executive stake holders and security teams develop the business cases for monitoring within an enterprise, and it’s essential that they’re aligned in the decisions to have a sound ethical base for taking the proposed action. Everyone needs to be involved in answering these six questions:
- For what purpose is the undocumented personal knowledge sought?
- Is this purpose a legitimate and important one?
- Is the knowledge sought through invasion of privacy relevant to its justifying purpose?
- Is invasion of privacy the only or the least offensive means of obtaining the knowledge?
- What restrictions or procedural restraints have been placed on the privacy-invading techniques?
- How will the personal knowledge be protected once it has been acquired?
“Ethics brings business value to you,” Walls says. He urged IT and security leaders to take a stand because they will be judging the ethical frameworks being used.
“If you are pursuing employee monitoring, it is critical that you provide full transparency to everyone about what you are doing,” Walls says. “Build a business case that identifies, costs, benefits, risks and all potential problems that are social in nature. In order to be successful you need to develop clear and consistent governance.”