Ever heard the saying: if you treat people like children, then they’ll act like children?
“Unfortunately, many conventional security approaches still have this mindset — that human beings are the weakest link, they’re the ones that make the dumb mistakes, hence we have to control them,” says Tom Scholtz, a vice-president and fellow with Gartner Research, in a recent webinar.
That’s why we’re starting to hear about a new — and somewhat controversial — approach to information security, called people-centric security (PCS). And it’s one that flips conventional thinking on its head.
If we look at what’s happening today in the digital enterprise, we’re seeing an exponential increase in number and complexity of devices, platforms, applications and access methods. And the IT department is experiencing a loss of control.
Traditional security policies don’t work well in this world, says Scholtz. They lead to restrictive controls, seldom speak to the individual, and are seldom — if ever — able to rapidly evolve and adapt to the new realities of the digital enterprise.
And while he’s not saying PCS is the one and only answer to this challenge, he believes we have to challenge common wisdom and look at alternative approaches to conventional security practices.
“One of the conventions that we have based a lot of our practices on is the understanding that the single weakest link in the information security chain is the human being,” says Scholtz. “Maybe it’s time to start challenging that particular convention.”
PCS emphasizes trust and individual accountability. If we can reduce the number of imposing, restrictive, preventative controls on users, we could — rather ironically — end up with better security.
Embrace the shared space
Scholtz points to the concept of “shared space” in urban traffic management environments. There are so many external controls on roadways that most of us just tune out — we assume the controls will protect us. But if we take away most, if not all, physical controls in this environment, we suddenly start paying attention. And we take responsibility.
Shared space has been shown to reduce the number of traffic accidents, as well as the impact of any accidents that do happen. Traffic laws still apply; it’s about taking away highly visual, highly complicated controls to enforce those laws.
Like an urban centre without stop signs or sidewalks, PCS is a bit disconcerting. Trust the user? Allow employees to decide how they use information?
To make this work, users need to understand the consequences of the decisions they make, says Scholtz. If an individual makes a mistake, then that individual will be held responsible (and not everyone else in the organization). But in order to make appropriate decisions, users need to be educated about security principles and risks. Trust, but monitor.
By moving away from restrictive controls, we could reduce bureaucracy, reduce costs associated with protecting our environment and improve staff morale by giving them more freedom. And that could help businesses become more agile and innovative.
And hey, we might even end up with better security.