Practices that don’t restrict or limit employees, but rather empower each individual to make the best choices on behalf of their organization when it comes to security. This means switching the focus from preventing security breaches to educating employees and empowering them to be your strongest information security agent.
I know the first time I heard this push, I was skeptical. I was at the Gartner’s IAM Summit 2014 when I first heard an analyst stand up and turn traditional security thinking on its head. Since then I have read more articles on the subject and even spoken to IT leaders. This idea is less futuristic and starting to take shape today.
This leads me to the final truth in my Five Important Truths about Digital Workspaces in a Dangerous World blog series – Truth #5 Embrace Employee and Business Unit Empowerment.
Shared Responsibility Breeds Positive Results
When I first heard about trust-based security, it was related to the success of Hans Monderman who designed an approach on “shared spaces”. His theory is that in congested city streets there are too many traffic controls. As a result, people stop thinking and just react, or worse, ignore the safety protocols put in place to prevent accidents.
He recommended removing all road signs and simply ask people to behave safely keeping an eye out for pedestrians, bicyclists, pedestrians, etc. His idea has changed the thinking behind urban transportation planning and has shown success globally. When empowered to make choices, people thought more about their actions and reacted appropriately resulting in reduced risk and a controlled flow.
Principles of People-Centric Security
While security in your organizations isn’t quite the same as traffic flow, there are many of the same principles at play. Gartner identified them at their IAM Summit but also share them in their report “Consider a People-Centric Security Strategy”.
|Accountability||Transition power from IT to the business and workforce to determine who has access to what applications and services. It is making the content creator also the one responsible for securely sharing the content.|
|Responsibility||Make everyone an auditor and hold them accountable for their actions and decisions.|
|Immediacy||If someone breaks a security code of conduct immediately react and assign any punitive outcomes swiftly.|
|Autonomy||Give employees autonomy and inform them with that comes the power to make choices on how and where they will use and access information. It must be understood that with this power consequences follow.|
|Community||People tend not to make decisions independently and it is culture that breeds more group thinking and decision making. It is critical that leadership establishes this culture of trust in words and action.|
|Proportionality||Controls must be proportionate to the risk. IT needs to establish the right balance between monitoring or responsive controls vs preventative controls.|
|Transparency||Expectations must be communicated and any punitive outcomes well understood. Any punitive action will breed scrutiny so you want to be open about the process and outcomes.|
These principles are all about placing employees at the heart of security instead of creating a force field that restricts employee movement. It is often the restrictions that are put in place that open up security vulnerabilities as your employees seek a work-around.
Getting Started with Employee Empowered Security Practices
Trust-based security practices may feel like a leap of faith and loss of control. However, there are some starting points you can take without fully jumping in at once:
- Empower Employees with Self-Service – When users can quickly access services and applications from a whitelist of resources they are less likely to use unauthorized ones; eliminating the need for Shadow IT.
- Enable Automatic Approval and Delivery – By automating authorization and provisioning policies, business will systematize the delivery of IT services and applications, keeping access secure, consistent and reportable.
- Reallocate IT Resources to More Proactive Security Initiatives –Self-service and automation also is free up IT resources to work on more strategic projects. Some of these strategic projects can be around more proactive security measures.
I challenge you to think of your current security practices and identify where a loosening of control could empower your workforce and ultimately lead to greater business agility and even less risk.
For those who have followed my blog series, thank you. I hope you gathered a few insights along the way! As always, you can get the entire five truths by downloading the whitepaper here.