Less security is more

Tom Scholtz specialises in information security policy design, security organisational dynamics, and security management processes.

---

Gartner research VP Tom Scholtz has suggested that perhaps by loosening security controls, IT can make organisations more secure.

Speaking at the Gartner Symposium and IT Expo, in Cape Town yesterday, Scholtz quoted Peter Cochrane: "If you treat people like children, they will behave like children."

IT almost always considers humans to be the weakest link in security, but he suggests that, with the right training, humans could be the greatest security asset. This is what he labels a people-centric approach to IT security.

Like it or not, IT security is going to have to change, Scholtz argues. Gartner is seeing the rise of a number of megatrends that will take control away from IT: consumerisation, mobile, social and cloud.

"The old security models won't work anymore," he adds.

Already organisations are witnessing an increasing amount of "shadow IT" where employees work around IT's controls in order to use the devices and services they choose to. For instance: DropBox.

"IT should be an enabler, not Dr No," says Scholtz.

By training employees around general security principles, rather than doing constant hand-holding, IT can free up resources to focus on real threat detection. As security threats become more sophisticated, it is becoming nearly impossible to prevent breaches, he argues. In fact, Gartner predicts that by 2020, 60% of security investment will be for detecting and monitoring tools rather than preventative ones.

Less bureaucracy also means happier and more productive employees. In addition, it has been shown that access to information can trigger innovation. While employees should only have access to data that is relevant to their areas, jealously keeping it within silos can stifle growth of new ideas, Scholtz argues.

Scholtz believes that forcing employees to be in charge of their own security could have the same effect as the Modernman shared space concept of city planning. The concept states that by minimising demarcations between traffic and pedestrians, road accidents will be reduced, because people are forced to focus on and take responsibility for their actions.

The Greek philosopher Socrates believed that no one will do wrong voluntarily.

However, Scholtz states that is not quite true. People won't always necessarily make the right decision, but they will make the right decision for themselves within the group context at the time.

Therefore, corporate culture is vitally important before one considers experimenting with people-centric security. While case studies have shown it to work in certain cases, Scholtz cautions that if there is an environment of mistrust or dishonesty within the organisation, tight security controls are needed.

He cites the example of someone caught stealing company stationery who, when interrogated, would state "well, everyone else was doing it".

People-centric security would not work in such an environment.

Top-down support is incredibly important before reducing policies and controls, Scholtz emphasises.

"This is not the kind of project you want to surprise your CEO with. Not if you want to keep your job."

In fact, in all the case studies Scholtz uses, the change has been driven from the business side of the organisation, not IT.

Once business and IT are in agreement about the project, Scholtz gives the following advice about implementation:

* You can educate employees with techniques like the Nudge theory, gamification, mentalism, social media and viral marketing.
* Staff should be educated on principles of accountability, responsibility, immediacy, autonomy, community, proportionality, and transparency.
* Policy can become a document of rights/responsibilities for employees. For example: you can access IT systems however you like but you have to protect data otherwise face specific disciplinary action.
* Discipline has to be firm, quick and fair. You can't punish a group if one person does wrong.
* Monitoring employee activity becomes increasingly important to pick up mistakes or unwanted behaviour timeously.

Historically, IT security means treating all employees like possible criminals, but Scholtz argues for a balance between keeping the bad guys out and making life difficult for the good guys to do their jobs to the best of their abilities within an organisation.

"If we move to security that is less focused around the bad guys, we free up the good people to do better work," Scholtz concludes.