People Centric Security (PCS)
User behaviour accounts for over 50% of information leaks, yet traditional security systems have failed to address this issue.
The fundamental reason for this is the treatment of users as “kids” within such systems. This has resulted in teething security challenges relating to data classification, lack of top management commitment and a high rate of false hits to name a few.
It is time to trust users and move away from the current approach of restrictive controls across the organization, where security is the job of the IT/security department, to a new approach where security is a user responsibility and tools are put in place to enable them to protect information and verify that they do so.
This new approach, championed by Tom Scholtz of Gartner, is called People Centric Security (PCS). PCS assumes that most individuals inherently want to behave in an appropriate manner for the benefit of the business rather than being inherently “Evil”. PCS moves from a Control Centric Security approach to one that is based on trusting users to do the right thing and verifying that they do so. The increased rights and responsibilities of users and the changes in monitoring philosophies under PCS are governed by seven principals, as defined by Tom Scholtz , which are as follows:
1. ACCOUNTABILITY – ENABLES OWNERS TO BE RESPONSIBLE FOR PROTECTING THEIR INFORMATION
You need a solution for Compliance, through user empowerment, making the information owners accountable for the protection of information they are responsible for by creating roles for them in the system. Using these roles, they can now classify the information themselves and, more importantly, define how it should be used. Information owners receive reports on the usage of their information and can make the call if it is not used appropriately.
2. RESPONSIBILITY – SHARED RESPONSIBILITY LEADS TO HIGHER SECURITY
Your Compliance should not adopt a blocking approach to security but instead adopts a more flexible monitoring approach based on responsible use of information. Under this approach, the usage of information is based on the sensitivity of the information as defined by the information owners. However, the users are allowed to make a judgement call and are held responsible for their actions. The approach uses a fundamentally different implementation approach of the traditional technologies of user behaviour analytics and employee monitoring tools
3. AUTONOMY – MORE FREEDOM THROUGH TRUST AND SELF-GOVERNANCE
The proper Business Compliance tool fosters a culture of Trust and Self-Governance among the staff. Users make the call on the usage of the information based on their responsibilities. For example, a finance executive working on a last-minute, next-quarter financial could decide to take it home via USB drive or Dropbox as long as he gets authority to do so from the information owner, the CFO in this case. The finance executive knows that if he does not do that, the CFO will receive the report of his activity and might start an enquiry.
4. IMMEDIACY – USER EMPOWERMENT REDUCES DETECTION TIME AND IMPROVES USER EDUCATION
The primary focus of empowering the users by using a Compliance solution is to reduce the “Detection Time” of a transgression. By decentralising the reporting of transgressions to people who understand the sensitive information, it is ensured they are picked up quickly and remedial steps can be taken immediately.
5. COMMUNITY – FOSTERS A CULTURAL CHANGE TOWARDS SECURITY
One of the biggest challenges faced by security teams is to develop a culture of security in the organisation. Through decentralisation of security roles and responsibilities, a Compliance Service ensures all users starting from top management to junior executives are involved in the decision-making and are responsible for how the information should be used and processed. The added responsibility upon the management ensures that they lead by example for their teams. This facilitates an overall cultural change in the organisation towards security.
6. PROPORTIONALITY – FOCUSED MONITORING VIA DATACENTRIC SECURITY
The freer handling of the information due to greater autonomy allowed under PCS is verified using a Compliance Service’s advanced monitoring features which are proportionate to risk involved. Your Compliance Service should work on the principals of total visibility of sensitive information and Data-Centric security. Unlike many existing security technologies which either block or allow an entire medium, a Compliance Service focuses on protecting the data while giving total visibility to the responsible users. This ensures users are not burdened by unnecessary security but still have the flexibility to do get their job done.
7. TRANSPARENCY – BUILDS TRUST AMONG USERS
A Compliance Service is built on the philosophy of Trust but verify. All monitoring is done in consultation with the specific departmental heads and information owner groups
Hopefully this provides an overview on what PCS offers an organisation.
A Compliance Service is available for organisations throughout Australia today.
Let us know if you need any additional information.