Most traditional security plans take a command and control approach to keeping the enterprise safe. With the advent of digital business, this orthodoxy no longer works. “Too many identities, devices, locations, data, and threats,” says Tom Scholtz, research vice president and Gartner Fellow, during his session titled People-Centric Security: Experienced and Lessons Learned at the Gartner Security & Risk Management Summit in National Harbor, Maryland.
With People-Centric Security, organizations can reduce security controls and have a positive impact on the staff morale and agility of the business, and improve overall security.
The People-Centric Security (PCS) framework gives each person in an organization increasing autonomy in how she uses information and devices – and what level of security she chooses to adopt when she uses it. The individual then has a certain set of rights in using technology and is linked to the group in the entire enterprise. She must also recognize that if things go wrong, it will have an impact on the team, group, and business.
“If we’re going to give people more freedom to decide, we must make them aware that there are consequences and educate them on what these consequences are,” Scholtz says. “We can’t ask them to make decisions that may have a negative impact if they don’t have the knowledge to make those decisions.”
Create an Environment for PCS Success
A key prerequisite for PCS is the ability and context for individual users to make the appropriate risk-based decisions about their use of technology and business applications. Hence, PCS implies much more than just traditional security awareness and training. It requires a working environment that empowers staff to take initiative:
- A culture that fosters personal accountability and freedom, driven by the leadership of the organization.
- A willingness among employees to take personal accountability.
- A group culture that clearly sets the context for appropriate behavior, including the potential collateral damage of inappropriate behavior to the individual’s relationships and social networks.
- A clear understanding of the personal consequences of individual decisions and behaviors, as well as a clear link between undesired behaviors and resultant actions.
- A formal education program that embeds this knowledge into all employees that is tailored to different audience profiles.
PCS Success Stories
Implementing a PCS strategy has its challenges. Mr. Scholtz has collected experiences and lessons learned from a growing number of organizations. A multifaceted financial organization implemented a large virtual data warehouse for business intelligence (BI) purposes. However, enforcing conventional role-based access control, based on the least-privilege principle, for the hundreds of BI analysts was impractical. Instead, the organization flipped to a default-to-allow approach, giving the analysts access to all the data in the virtual data warehouse, except for the small subset of data to which general access must be limited. It closely monitored individual access and utilization of the data creating a much more scalable solution. By virtue of giving the analysts much greater access to much more data, it enhanced the analysts’ ability to extract value from their analysis.
In another example, a large energy enterprise decided that its traditional approach to information security was impractical. Its policies and controls were too cumbersome, and seldom reflected the users’ real-life experiences. The enterprise decided to replace its policies and controls with a set of core principles that are formalized in a “book” and shared with all employees. Some of the key principles outlined in this book include making information owners directly accountable for protecting their information, giving these information owners the autonomy to make appropriate security control decisions based on their risk appetite, and always challenging conventional wisdom when confronted with a new security challenge. The security organization has repositioned itself as primarily being an advisory and assurance function and reduced the number of mandatory security control requirements from 43 to 8.
Key lessons learned:
- Ensure that the appropriate enterprise environment exists. It must be a culture of trust. PCS isn’t a tool for initiating cultural change.
- Select an appropriate target domain for the implementation.
- Consider the technology opportunities that can be used to facilitate PCS.
- Investigate the potential legal and HR issues.