Brave firms with the right security culture and executive support are testing and benefiting from a people-centric approach to security, says Gartner.
Adopting such an approach is not a trivial exercise, but case studies have shown the benefits, researcher Tom Scholtz told the Gartner IAM Summit 2015 in London.
Although education is an essential element, people-centric security (PCS) is more than security awareness training and is aimed at challenging the traditional view of people as the weakest link.
Instead, by enabling every employee to make informed security choices and decisions, companies can turn every member of their workforce into a strong information security agent.
Just as Dutch road traffic engineer Hans Monderman’s shared space concept has led to fewer and less serious accidents, PCS pioneers are seeing fewer, less severe data breaches, said Scholtz.
“Shared space like PCS shifts responsibility for safety onto the individual and encourages them to be more vigilant and to think carefully about their actions and potential consequences,” he said.
Scholtz said that although it is counter-intuitive, reducing security controls can improve staff morale, improve security and, by reducing bureaucracy, cut costs.
“Organisations that have followed this approach report that by moving from a control-centric model and putting people at the centre, they have reduced risk and improved security,” he said.
At the core of PCS is the recognition that while people have rights, they also have explicit responsibilities to the business and other users of IT in the organisation.
It is up to individuals to make decisions, and they will be held responsible for their actions based on a set of core principles.
Education is the fundamental enabler, said Scholtz, because people can be held responsible for their decisions only if they understand the consequences of those decisions.
“People cannot make decisions in a vacuum without understanding the consequences of using IT and information,” he said.
The ability to monitor people’s decisions and actions is another essential part of PCS to ensure that when people make mistakes, those mistakes can be identified and fixed quickly, and lessons are learned to ensure such mistakes are not repeated.
Although Sholtz said PCS is still “a work in progress”, all deployments to date have been based on seven core principles:
In the context of PCS, accountability for protecting information rests with the owners of that information, who are best qualified to make decisions about who should have access to that information.
People will be held responsible for the consequences of their actions through collective oversight and they are expected to act responsibly and ethically in their use of information to support the business.
Reaction to any misbehaviour will be immediate, but efforts to support compliance with best practices will outweigh any punitive action.
“The first assumption is that any misbehaviour is a genuine mistake and the individual concerned should be helped to understand why their action was wrong, so they do not do it again,” said Scholtz.
“However, if wrong actions are repeated and punitive action is required, it must be strictly enforced.”
This principle recognises that individuals exercise autonomy in how and when they use information and apply security principles linked to responsibility and based on their business and security knowledge.
This principle recognises that individuals do not make decisions in isolation and so the onus is on the leadership to ensure a positive culture of collaboration that supports good decisions.
Any controls imposed must be proportionate to the risks, but in PCS, the aim is to opt instead for monitoring and response capabilities or automated controls, wherever possible.
User behaviour is closely monitored, but every punitive action must be open to scrutiny to prevent vigilantism in a community where everyone is an auditor.
“PCS is still evolving, but a number of organisations that Gartner is tracking have implemented some or all of the core principles,” said Scholtz.
By switching to PCS, a large industrial firm has been able to reduce 1,500 roles in an ERP system to just 17 roles, comprising five generic roles and 12 specific exceptions where greater confidentiality is required.
“The company is doing a pilot with 200 users and reports that monitoring exceptions is easier and that users say they feel less frustrated,” said Scholtz.
“The company also reports improved security, fewer security policy violations, and fewer false positives, but it important to note there is an existing culture of trust and clear executive support.”
Reduce mandatory security policies
An energy multinational company that is testing PCS has been able to reduce 43 mandatory security policies to just eight, but had to invest in better monitoring capabilities to ensure accountability.
“The company reported that employees preferred the monitoring and accountability approach to being dictated to and the business reported more meaningful discussions about risk with IT security teams, with both sides benefiting from better insights,” said Scholtz.
A multinational manufacturer has also reported being able to reduce its core security policies to six, with the rest of the old policies being rewritten as best practice advice or being made available as services.
The company has reported improved risk decisions and better security policy adoption, whereas before trying PCS, most policies were ignored in a highly decentralised organisation.
More access to information
According to Scholtz, the PCS implementations that Gartner is monitoring show that people can be trusted with more access to information and functionality to support the business than common wisdom allows.
But he said it is important to recognise that PCS does not fit all organisations because of cultural prerequisites, and there is a certain amount of risk in adopting this approach.
“The biggest challenges are around organisational culture and legal responsibility,” he said.
Gartner says PCS may be a direct fit for only about 5% of organisations, but Scholtz said it is making a valuable contribution to the debate around finding a better approach to security.
“The most important principle to be applied in new security models is that of turning each individual into a security agent,” he said.