Some of you may have tried implementing a people-centric security (PCS) strategy and faced opposition from some business leaders and security and risk professionals. But, how would they react now if they knew that by 2019, digital business adoption will compel 30% of organizations to implement PCS strategies – up from less than 5% in 2014?
PCS is a strategic approach to information security that emphasizes individual accountability and trust, and de-emphasizes restrictive, preventive security controls.
“PCS represents a major departure from conventional security strategies, but reflects the reality that current security approaches are increasingly difficult to manage in a digital environment,” says Tom Scholtz, research vice president and Gartner Fellow.
Can those perplexed business people be persuaded to consider a PCS in a near future? Here’s a scenario that can take place with a PCS strategy.
The subject is an international group of companies that manufacture high-technology products for various sectors. It consists of multiple global businesses, with major operations in Europe, the U.S. and Asia.
The organization has a group IT function to provide connectivity services for all the organization’s subsidiaries. Subsidiaries manage their own systems and applications with their own IT staff. The IT team supports the global WAN and perimeter security, and also provides security and risk services to the subsidiaries.
Until early 2013, the IT team tried to enforce a very orthodox security strategy on the organization. It created strict policies, rules and controls that all subsidiaries were expected to follow. Given the culture of the organization, this approach was not very successful.
The group’s CIO realized that something had to change, and started exploring alternative approaches that would be more suitable to the organization’s autonomous culture and structure. He opted for a PCS strategy that was based on trust.
The trust-based security strategy empowered decision makers within the enterprise’s subsidiaries to make their own risk-based decisions. In essence, it was up to the subsidiaries to make most security control decisions, with appropriate support and guidance from group’s IT team. This enabled a more collaborative approach that is much more aligned with the organization’s culture to minimize risk and maximize the use of a wide variety of IT services. This was in stark contrast to the previous policy-based dictatorial approach.
The IT team continued to develop and improve its security education program to support the trust-based strategy. In parallel, the group’s CIO reached out individually, via email, to every managing director or president of every subsidiary, outlining the proposed new approach. The rollout of the new strategy was followed up with regular joint strategy review meetings between group’s IT team and subsidiary executives.
From a security perspective, the IT team is now seen more as a strategic partner by the subsidiaries, rather than an obstacle. The subsidiaries make their own risk-based security decisions, guided by the principles and core standards, with the IT team providing appropriate advice. IT also gets invited much more frequently to support the subsidiaries with their risk decisions. The overall result is that security risk management in the enterprise has improved because:
- IT, as a corporate function, now has much better insight into the overall risk position of the enterprise.
- The collaborative approach enables the subsidiaries to make improved risk decisions.
The culture of the organization was a key enabler for the trust-based approach, as was visible executive support. Care had been taken to ensure that the company did not fail in its standard of due care in various regulatory requirements. Ongoing communication was also vital, not just to overcome the objections of the few IT managers, but also to maintaining the ongoing impetus of the strategy.
Overall, security and risk leaders must carefully consider whether PCS is appropriate for their organization and ensure that the appropriate enterprise environment exists for PCS. PCS is not a tool for initiating cultural change.