Have You Ever Considered a People-Centric Security Strategy?
People-centric security represents a major departure from conventional security strategies, but reflects the reality that current security approaches are increasingly difficult to manage in a digital environment
Some of you may have tried implementing a people-centric security (PCS) strategy and faced opposition from some business leaders and security and risk professionals. But, how would they react now if they knew that by 2019, digital business adoption will compel 30 percent of organizations to implement PCS strategies – up from less than 5 percent in 2014?
PCS is a strategic approach to information security that emphasizes individual accountability and trust, and de-emphasizes restrictive, preventive security controls.
“PCS represents a major departure from conventional security strategies, but reflects the reality that current security approaches are increasingly difficult to manage in a digital environment,” said Tom Scholtz, vice president and Gartner Fellow.
Can those perplexed business people be persuaded to consider a PCS in a near future? Here’s a scenario that can take place with a PCS strategy.
The subject is an international group of companies that manufacture high-technology products for various sectors. It consists of multiple global businesses, with major operations in Europe, the U.S. and Asia.
The organization has a group IT function to provide connectivity services for all the organization’s subsidiaries. Subsidiaries manage their own systems and applications with their own IT staff. The IT team supports the global WAN and perimeter security, and also provides security and risk services to the subsidiaries.
Until early 2013, the IT team tried to enforce a very orthodox security strategy on the organization. It created strict policies, rules and controls that all subsidiaries were expected to follow. Given the culture of the organization, this approach was not very successful.
The group’s CIO realized that something had to change, and started exploring alternative approaches that would be more suitable to the organization’s autonomous culture and structure. He opted for a PCS strategy that was based on trust.
The trust-based security strategy empowered decision makers within the enterprise’s subsidiaries to make their own risk-based decisions. In essence, it was up to the subsidiaries to make most security control decisions, with appropriate support and guidance from group’s IT team. This enabled a more collaborative approach that is much more aligned with the organization’s culture to minimize risk and maximize the use of a wide variety of IT services. This was in stark contrast to the previous policy-based dictatorial approach.
To find out more visit Smarter With Gartner website.