By Paul Proctor
Employees carry a range of mobile devices to work these days that they expect to connect to corporate e-mail, sites and services.
As a business, you give them access, loaded with the latest security protocols. But how much of the real risk for security in today’s connected world rests on each individual?
The reality is that technology solutions give an enterprise only so much security. In fact, too much security technology trying to force people to behave as we wish actually lowers protection levels.
Likewise, trying to prevent employees from using certain devices, or banning certain behaviour, is often counterproductive. An alternative approach that should be considered in our complex digital world is people-centric security (PCS).
This strategic approach to information security emphasises individual accountability and trust, and de-emphasises restrictive, preventive security controls.
Motivating safe behaviour
PCS is based on a set of key principles that underpins the rights and related responsibilities of individuals. The premise of PCS is that employees have certain rights. However, these are explicitly linked to specific responsibilities.
These rights and responsibilities are based on an understanding that if an individual does not fulfill his or her responsibilities, or does not behave in a manner that respects the rights of his or her colleagues and the stakeholders of the enterprise, then that individual will lose certain rights and be subject to disciplinary procedure.
The result is that they are motivated to do the right thing because they have a stake in the outcome.
For example, staff are given the right to use their personal iPads for corporate e-mail without any mandated preventive security controls, which makes their lives easier.
But they are also personally responsible for ensuring that no confidential data is compromised via their use of the iPad. The IT organisation will offer protective security solutions, but the users have the autonomy to decide if they want to adopt these controls or not.
But if they lose any data, they potentially lose the right and the convenience of using it for company mail. Essentially, they are motivated to do the right thing for reasons that are meaningful to them.
Boost Education
Most risk and security programmes have many priorities, and companies have limited resources to focus on protecting the most important assets in the company.
Often, infractions by employees who ignore policies are not at the top of an organisation’s list.
Moving forward, security programs should educate users about what’s at stake in risky practices adopted for convenience.
Simple behaviour changes can do as much, or more, to protect your enterprise than spending millions on complicated technology that will make users miserable.
Users will immediately seek to bypass poorly conceived technical solutions and put even more data at risk. Avoid this outcome.
Consider how the following PCS attributes might help your organisation improve its overall risk posture:
The PCS agreement of rights and responsibilities creates a collective co-dependency among employees, exploiting existing social capital within the enterprise.
Its principles presume an emphasis on detective and reactive controls, along with transparent preventive controls, over the use of intrusive preventive controls.
PCS works best in a culture where individual autonomy and initiative are encouraged. PCS presupposes an open, trust-based corporate culture, and associated executive awareness and support.
Its principles presume that individuals have the appropriate knowledge to understand their rights, responsibilities and associated decisions.
PCS is not a replacement for common-sense defence-in-depth security, nor is it a relaxation of security requirements or behavioural standards.
It does acknowledge that the conventional control-centric approach to information security is increasingly untenable in rapidly evolving and ever-more-complex technology, business and risk environments.
Paul Proctor is a vice president, analyst at Gartner and chief of research for security and risk management.
Employees carry a range of mobile devices to work these days that they expect to connect to corporate e-mail, sites and services.
As a business, you give them access, loaded with the latest security protocols. But how much of the real risk for security in today’s connected world rests on each individual?
The reality is that technology solutions give an enterprise only so much security. In fact, too much security technology trying to force people to behave as we wish actually lowers protection levels.
Likewise, trying to prevent employees from using certain devices, or banning certain behaviour, is often counterproductive. An alternative approach that should be considered in our complex digital world is people-centric security (PCS).
This strategic approach to information security emphasises individual accountability and trust, and de-emphasises restrictive, preventive security controls.
Motivating safe behaviour
PCS is based on a set of key principles that underpins the rights and related responsibilities of individuals. The premise of PCS is that employees have certain rights. However, these are explicitly linked to specific responsibilities.
These rights and responsibilities are based on an understanding that if an individual does not fulfill his or her responsibilities, or does not behave in a manner that respects the rights of his or her colleagues and the stakeholders of the enterprise, then that individual will lose certain rights and be subject to disciplinary procedure.
The result is that they are motivated to do the right thing because they have a stake in the outcome.
For example, staff are given the right to use their personal iPads for corporate e-mail without any mandated preventive security controls, which makes their lives easier.
But they are also personally responsible for ensuring that no confidential data is compromised via their use of the iPad. The IT organisation will offer protective security solutions, but the users have the autonomy to decide if they want to adopt these controls or not.
But if they lose any data, they potentially lose the right and the convenience of using it for company mail. Essentially, they are motivated to do the right thing for reasons that are meaningful to them.
Boost Education
Most risk and security programmes have many priorities, and companies have limited resources to focus on protecting the most important assets in the company.
Often, infractions by employees who ignore policies are not at the top of an organisation’s list.
Moving forward, security programs should educate users about what’s at stake in risky practices adopted for convenience.
Simple behaviour changes can do as much, or more, to protect your enterprise than spending millions on complicated technology that will make users miserable.
Users will immediately seek to bypass poorly conceived technical solutions and put even more data at risk. Avoid this outcome.
Consider how the following PCS attributes might help your organisation improve its overall risk posture:
The PCS agreement of rights and responsibilities creates a collective co-dependency among employees, exploiting existing social capital within the enterprise.
Its principles presume an emphasis on detective and reactive controls, along with transparent preventive controls, over the use of intrusive preventive controls.
PCS works best in a culture where individual autonomy and initiative are encouraged. PCS presupposes an open, trust-based corporate culture, and associated executive awareness and support.
Its principles presume that individuals have the appropriate knowledge to understand their rights, responsibilities and associated decisions.
PCS is not a replacement for common-sense defence-in-depth security, nor is it a relaxation of security requirements or behavioural standards.
It does acknowledge that the conventional control-centric approach to information security is increasingly untenable in rapidly evolving and ever-more-complex technology, business and risk environments.
Paul Proctor is a vice president, analyst at Gartner and chief of research for security and risk management.
Already a subscriber? Log in.
Limited time offer:
Just RM5 per month.
Cancel anytime. No ads. Auto-renewal. Unlimited access to the web and app. Personalised features. Members rewards.
Follow us on our official WhatsApp channel for breaking news alerts and key updates!
