By Paul Proctor and Tom Scholtz
As bring your own device (BYOD) becomes the norm in many organizations, it creates a growing user base that is accustomed to unlimited access to computing resources. Policies and associated controls dramatically inhibit the potential of such employees. Given this reality, it is perceived that, for the individual, security controls only have downsides, with no associated upsides.
The reality is that technology solutions give an enterprise only so much security. In fact, too much security technology trying to force people to behave as we wish actually lowers protection levels. Likewise, trying to prevent employees from using certain devices, or banning certain behaviors, is often counterproductive.
An alternative approach that should be considered in our complex digital world is people-centric security (PCS). This strategic approach to information security emphasizes individual accountability and trust, and de-emphasizes restrictive, preventive security controls.
Motivating Safe Behavior
PCS is founded on a set of key principles, and based on mutual rights and responsibilities of individuals, is a viable alternative to the status quo. Such a PCS approach places more direct responsibility and trust on individual users. It is based on the assumption that most individuals intuitively want to behave in the appropriate manner, rather than on the view that individuals are inherently evil.
These rights and responsibilities are based on an understanding that if an individual does not fulfill his or her responsibilities, or does not behave in a manner that respects the rights of his or her colleagues and the stakeholders of the enterprise, then that individual will lose certain rights and be subject to disciplinary procedure. The result is that they are motivated to do the right thing because they have a stake in the outcome.
Most risk and security programs have many priorities, and companies have limited resources to focus on protecting the most important assets in the company. Often, infractions by employees who ignore policies are not at the top of an organization’s list.
Moving forward, security programs should boost their attention to educating users about what’s at stake in risky practices adopted for convenience. Simple behavior changes can do as much, or more, to protect your enterprise than spending millions on complicated technology that will make users miserable. Users will immediately seek to bypass poorly conceived technical solutions and put even more data at risk. Avoid this outcome.
PCS is not a replacement for common-sense defense-in-depth security, nor is it a relaxation of security requirements or behavioral standards. It does acknowledge that the conventional control-centric approach to information security is increasingly untenable in rapidly evolving and ever-more-complex technology, business and risk environments.
Paul Proctor is vice president, distinguished analyst and chief of research for security and risk management at Gartner. Tom Scholtz is vice president and Gartner Fellow at Gartner, advising clients on security management strategies and trends.