How To Put People At The Center Of Enterprise Security

By Paul Proctor and Tom Scholtz
Gartner, Inc.

Employees carry a range of mobile devices to work these days that they expect to connect to corporate email, sites and services. As an IT professional, you give them access, loaded with the latest security protocols. But how much of the real risk for security in today’s connected world rests on each individual?

The reality is that technology solutions give an enterprise only so much security. In fact, too much security technology trying to force people to behave as we wish actually lowers protection levels. Likewise, trying to prevent employees from using certain devices, or banning certain behaviors, is often counterproductive.

An alternative approach that should be considered in our complex digital world is people-centric security (PCS). This strategic approach to information security emphasizes individual accountability and trust, and de-emphasizes restrictive, preventive security controls.

Motivating Safe Behavior

PCS is based on a set of key principles that underpins the rights and related responsibilities of individuals. The premise of PCS is that employees have certain rights. However, these are explicitly linked to specific responsibilities.

These rights and responsibilities are based on an understanding that if an individual does not fulfill his or her responsibilities, or does not behave in a manner that respects the rights of his or her colleagues and the stakeholders of the enterprise, then that individual will lose certain rights and be subject to disciplinary procedure. The result is that they are motivated to do the right thing because they have a stake in the outcome.

For example, users are given the right to use their personal iPads for corporate email without any mandated preventative security controls, which makes their lives easier. But they are also personally responsible for ensuring that no confidential data is compromised via their use of the iPad. The IT organization will offer protective security solutions, but the users have the autonomy to decide if they want to adopt these controls or not. But if they lose any data, they potentially lose the right and the convenience of using it for company mail. Essentially, they are motivated to do the right thing for reasons that are meaningful to them.

Boost Education

Most risk and security programs have many priorities, and companies have limited resources to focus on protecting the most important assets in the company. Often, infractions by employees who ignore policies are not at the top of an organization’s list.

Moving forward, security programs should boost their attention to educating users about what’s at stake in risky practices adopted for convenience. Simple behavior changes can do as much, or more, to protect your enterprise than spending millions on complicated technology that will make users miserable. Users will immediately seek to bypass poorly conceived technical solutions and put even more data at risk. Avoid this outcome.

Consider how the following PCS attributes might help your organization improve its overall risk posture:
- The PCS agreement of rights and responsibilities creates a collective co-dependency among employees, exploiting existing social capital within the enterprise.
- PCS principles presume an emphasis on detective and reactive controls, along with transparent preventive controls, over the use of intrusive preventive controls.
- PCS works best in a culture where individual autonomy and initiative are encouraged.
- PCS presupposes an open, trust-based corporate culture, and associated executive awareness and support.
- PCS principles presume that individuals have the appropriate knowledge to understand their rights, responsibilities and associated decisions.

PCS is not a replacement for common-sense defense-in-depth security, nor is it a relaxation of security requirements or behavioral standards. It does acknowledge that the conventional control-centric approach to information security is increasingly untenable in rapidly evolving and ever-more-complex technology, business and risk environments.

Paul Proctor is vice president, distinguished analyst and chief of research for security and risk management at Gartner.  Tom Scholtz is vice president and Gartner Fellow at Gartner, advising clients on security management strategies and trends. Both analysts will provide more analysis at the Gartner Security & Risk Management Summit, June 8-11 in Washington D.C.