How about one for the people…?
When you write a blog focused on technology, you tend to feature items that fit the bill like drones, driverless vehicles and the like. But an article published last week in Forbes by Paul Proctor and Tom Scholtz of Gartner got me to thinking about the truly important and perhaps underemphasized role people play in information and cybersecurity. Their piece entitled, “How To Put People At The Center Of Enterprise Security,” really begs an important question: are your people (and not your technology) the key to your information security?
According to Proctor and Scholtz, organizations should be embracing a people-centric security (or “PCS”) approach to securing enterprise and customer information, which “emphasizes individual accountability and trust, and de-emphasizes restrictive, preventive security controls.” The PCS approach focuses on motivating safe behavior and boosting education of employees, with the intent of driving the following attributes to “improve [and organization’s] overall risk posture:
- The PCS agreement of rights and responsibilities creates a collective co-dependency among employees, exploiting existing social capital within the enterprise.
- PCS principles presume an emphasis on detective and reactive controls, along with transparent preventive controls, over the use of intrusive preventive controls.
- PCS works best in a culture where individual autonomy and initiative are encouraged.
- PCS presupposes an open, trust-based corporate culture, and associated executive awareness and support.
- PCS principles presume that individuals have the appropriate knowledge to understand their rights, responsibilities and associated decisions.
Proctor and Scholtz are quick to point out that PCS is not “a replacement for common-sense defense-in-depth security, nor is it a relaxation of security requirements or behavioral standards,” and on this point I whole heartedly agree. But their vision for an increased emphasis on people, the role employees can play in cybersecurity and how organizations can motivate and hold those folks accountable for what should be a shared goal of enterprise information security is an important one worthy of consideration and examination in any organization.