Digital Workplace Calls for People-Centric Security

— July 05, 2014

Increasing adoption of a more mobile, social, data-driven and consumer-like workplace is causing the breakdown of traditional security models and strategies, according to Gartner, Inc. The firm predicts that by 2018, 25% of large organizations will have an explicit strategy to make their corporate computing environments similar to a consumer computing experience. Security organizations and leaders that fail to alter strategies to accommodate a more consumerized workforce will be sidelined by engaged organizations.

"Significant changes that impact an organization’s approach to security are underway," said Tom Scholtz, vice president and Gartner Fellow. "Employee digital literacy has led to a growing consumerization movement within most enterprises, with employees using a wide variety of consumer-oriented apps for business purposes. Other workplace trends—such as out-tasking, globalization, networked reporting structures, shadow IT and a desire to foster employee engagement—are all impacting IT strategies. As organizations shift toward a more digital workplace, long held approaches to security need to be re-examined."

Detect and React
The sheer volume of devices and access vectors implied by a digital workplace, coupled with the increase in sophisticated, dynamic attack methods and insider threats, makes the traditional approach of focusing on preventive controls (such as signature-based anti-malware, network and host intrusion prevention systems, pervasive encryption and continuous patching) increasingly ineffective.

While the value of and need for preventive controls will never go away, the digital workplace reinforces the need to focus more on detective and reactive controls. In practice, this means increasing investments in context-aware security monitoring for internal and external environments, threat intelligence assessment capabilities and incident response. Pervasive, context-based monitoring and security information analytics will form the core of next-generation security architectures.

"Implementation of a digital workplace exacerbates the IT department's loss of control over endpoint devices, servers, the network and applications," said Scholtz. "In a fully consumerized workplace, the information layer becomes the primary infrastructure focal point for security control. This reality necessitates a shift toward a more information-focused security strategy."

A digital workplace means that users will be given more freedom in how they use technology and information. This implies a higher level of trust that users will exhibit appropriate behavior in dealing with enterprises’ information resources. Key elements of a behavior-focused security communication strategy include considering "just in time" security awareness techniques, which remediate or reward user behavior based on the appropriateness of that behavior within the user’s context.

Scholtz said,"In addition to an education program that is focused on measurable behavioral outcomes, security leaders should develop their ability to collaborate with personnel and line-of-business managers to modify job descriptions and reward mechanisms so that they are aligned with desired security performance."

User Trust
Gartner believes that trusting the motives and behavior of individual users is a key enabler for the digital workplace. Conventional approaches to information security tend to treat everyone, including employees, with distrust. Such an attitude will impede the digital workplace. However, a more people-centric approach to security will contribute to the potential success of the initiative.

People-centric security (PCS) is a strategic approach to information security that emphasizes individual accountability and trust, and that de-emphasizes restrictive, preventive security controls.

PCS is based on a set of key principles, and on the rights and related responsibilities of individuals. The premise of PCS is that employees have certain rights—but these are linked to specific responsibilities. These rights and responsibilities are based on an understanding that, if an individual does not fulfill his or her responsibilities, or does not behave in a manner that respects the rights of colleagues and the stakeholders of the enterprise, then the individual will be subject to sanction.

While a wholesale PCS strategy is certainly inadvisable for many organizations, it is certainly a viable concept that should be considered as part of the digital workplace.

POST A COMMENT

comments powered by Disqus

RATE THIS CONTENT (5 Being the Best)

12345
Current rating: 0 (0 ratings)

MOST READ STORIES

topics

Must See


FEATURED REPORT

Mobile Risk: Security Is Not a Game

IDC predicts 2 billion mobile devices will be shipped by 2017, while Gartner expects a 26 billion Internet of Things installed base (excluding smartphones and tablets) by 2020. With more devices, more machines, more connectivity comes more risk.