Have you ever considered a people-centric security strategy?

By Tom Scholtz

People-centric security represents a major departure from conventional security strategies, but reflects the reality that current security approaches are increasingly difficult to manage in a digital environment

Some of you may have tried implementing a people-centric security (PCS) strategy and faced opposition from some business leaders and security and risk professionals. But, how would they react now if they knew that by 2019, digital business adoption will compel 30 percent of organisations to implement PCS strategies – up from less than 5 percent in 2014?

PCS is a strategic approach to information security that emphasises individual accountability and trust, and de-emphasises restrictive, preventive security controls.

“PCS represents a major departure from conventional security strategies, but reflects the reality that current security approaches are increasingly difficult to manage in a digital environment,” saidTom Scholtz, vice president and Gartner Fellow.

Can those perplexed business people be persuaded to consider a PCS in a near future? Here’s a scenario that can take place with a PCS strategy.

The subject is an international group of companies that manufacture high-technology products for various sectors. It consists of multiple global businesses, with major operations in Europe, the U.S. and Asia.

The organisation has a group IT function to provide connectivity services for all the organisation’s subsidiaries. Subsidiaries manage their own systems and applications with their own IT staff. The IT team supports the global WAN and perimeter security, and also provides security and risk services to the subsidiaries.

Until early 2013, the IT team tried to enforce a very orthodox security strategy on the organization. It created strict policies, rules and controls that all subsidiaries were expected to follow. Given the culture of the organisation, this approach was not very successful.

The group’s CIO realised that something had to change, and started exploring alternative approaches that would be more suitable to the organisation’s autonomous culture and structure. He opted for a PCS strategy that was based on trust.

The trust-based security strategy empowered decision makers within the enterprise’s subsidiaries to make their own risk-based decisions. In essence, it was up to the subsidiaries to make most security control decisions, with appropriate support and guidance from group’s IT team. This enabled a more collaborative approach that is much more aligned with the organisation’s culture to minimise risk and maximise the use of a wide variety of IT services. This was in stark contrast to the previous policy-based dictatorial approach.

The IT team continued to develop and improve its security education program to support the trust-based strategy. In parallel, the group’s CIO reached out individually, via email, to every managing director or president of every subsidiary, outlining the proposed new approach. The rollout of the new strategy was followed up with regular joint strategy review meetings between group’s IT team and subsidiary executives.

From a security perspective, the IT team is now seen more as a strategic partner by the subsidiaries, rather than an obstacle. The subsidiaries make their own risk-based security decisions, guided by the principles and core standards, with the IT team providing appropriate advice. IT also gets invited much more frequently to support the subsidiaries with their risk decisions. The overall result is that security risk management in the enterprise has improved because:

-- IT, as a corporate function, now has much better insight into the overall risk position of the enterprise.

-- The collaborative approach enables the subsidiaries to make improved risk decisions.

Lessons Learned

The culture of the organisation was a key enabler for the trust-based approach, as was visible executive support. Care had been taken to ensure that the company did not fail in its standard of due care in various regulatory requirements. Ongoing communication was also vital, not just to overcome the objections of the few IT managers, but also to maintaining the ongoing impetus of the strategy.

Overall, security and risk leaders must carefully consider whether PCS is appropriate for their organization and ensure that the appropriate enterprise environment exists for PCS. PCS is not a tool for initiating cultural change.

The author is vice president and Gartner Fellow.