Gartner is shopping the idea that the people using IT systems and corporate data are perhaps the best ones to guard them. They are calling the People Centric Security (PCS). According to a ZDNet article, People Centric Security loosens IT controls and relies on end-users to assume responsibilities for protecting IT systems and data.
Tom Scholtz at Gartner (IT) presented the idea at the recent Gartner Identity and Access Management conference. They explained it this way, empower users with responsibility for systems and data important to their work, sprinkle in consequences for breaching that responsibility, and users will do the right things to secure their environment.
Gartner argues that the convergence of social, mobile, cloud and big data are eroding corporate boundaries and controls in many areas long thought to be state-of-the-art defenses. “The current approach in developing policies and controls doesn’t scale to current realities,” Mr. Schotlz said.
Mr. Scholtz argues current information security policies and tools grind on productivity. He says the relationship between IT, the business, and workers has transformed and necessitates a change in regard to information security. “In this brave new world, what we do as security people is viewed as negative. We are the people who slow things down.”
However, Gartner is not advocating losing all controls and policies only loosening them. Mr. Schotlz argues that taking away controls on data and replacing them with new user-based responsibilities, principles, and rights may just improve end-user focus and produce a more managed and secure environment. “We cannot forget about the bad guys outside our enterprise; we do not get rid of all our defenses,” he said.
“One of the realities in the current approach to information security is we treat the 95% of people that want to do the right thing, we treat them like the bad people in order to protect against the bad things done by the 5% of people who have bad intentions,” said Scholtz. “We treat them like children, and if you treat people like children, they will act like children.”
The PCS goal is to implement a “trust space.” ZDNet explains that concepts surrounding “mutual trust” are not new, they have been used in traffic planning, Europe’s Schengen Agreement, open source, and even cloud computing, where companies trust that large providers will protect their data as part and parcel of protecting their own valuable brands.
Such an environment “makes it easier to monitor for exceptions, the good people are not trying to circumvent the controls,” says Scholtz.
Gartner’s Scholtz knows PCS is not for everyone and that implementation requires cultural and educational challenges. “Maybe we could develop a situation where we have a set of underlying principles that underpin how people use data and how they access systems, and we link those with specific individual responsibilities,” he said. “Maybe we get a more collaborative and social environment.”
There are specific requirements if PCS is to prosper according to the article, the process has to be top-down and there have to be effective punishments for those that abuse their rights. Scholtz admits his concepts are in the embryonic stage, but that they will evolve in the coming months as he works with select enterprises. He noted that a European bank and a U.S.-based agricultural business are already adopting PCS concepts.
rb-
How crazy do you think the PCS concept is? Can it work? Remember that just a couple of years ago, Gartner called BYOD, which I covered here in 2010.
Are your users the future of cybersecurity?
Related articles
- Employees put critical infrastructure security at risk (networkworld.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.