Can removing security controls actually make businesses safer?

Can removing security controls actually make businesses safer?

Summary: In an almost Darwinistic approach to security, one Gartner researcher believes that decreasing rather than increasing policy and controls might be the answer to the security status quo.

TOPICS: Security

Although counter-intuitive, Gartner research vice president Tom Scholtz believes that for some organisations, removing restrictive policies and controls could save the business money, or even improve its security.

Speaking at the Gartner Security and Risk Management Summit in Sydney on Monday, Scholtz said that the current status quo of security is simply not cutting it, and suggested that the answer to improving the situation might be removing, rather than increasing, the number of controls that are in place, since they simply aren't working.

"I'm pretty sure that we have lost the race in our attempt to throw controls at everything. Just look at what's happening with mobility, mobile device management, and bring your own device [BYOD]," he said.

Scholtz further added that 24 months ago, when he spoke to security professionals about BYOD, they said that they didn't want mobile devices in the workplace. Today, however, he says that these are the very people in the boardroom holding their tablets.

Scholtz explained that the reason why controls aren't working is because they rarely ever speak directly to the individual user, and they don't scale to the way that people use technology today. He pointed out that many employees don't know why certain policies have been formed, and that the majority of them would likely comply with security warnings if they knew what dangers prompted policy decisions in the first place.

Removing or relaxing these policies and controls, however, could help speak to each user by making them personally responsible for their actions. He pointed to the use of "shared spaces", popularised by Hans Monderman, where vehicles and pedestrians use the same road or footpaths, sometimes with little to no markings or signage. Although the idea might seem dangerous, actual applications in the UK have been argued to be safer, as pedestrians and drivers pay much more attention to their environment.

Scholtz believes the same concept could be applied to certain organisations that are mature enough to build a culture of being security minded. Scholtz calls this people-centric security (PCS), as the security relies on people at its core. However, he stressed that there are some significant challenges.

Key to the concept is ensuring a change in workplace culture. This means it is imperative that everyone from the CEO level down buys in to the idea. It also eliminates certain organisations that have regulatory or compliance requirements that do not consider workplace culture a sufficient security measure.

Furthermore, Scholtz said that it is certainly not a replacement for defence in depth, as PCS primarily looks at improving security from the inside. Similarly, controls are almost never completely eliminated. But they are reduced where possible, and a focus is placed on reactive controls rather than preventative ones.

PCS is a relatively new and controversial approach to security, but there are a number of requirements to making it work correctly. One such requirement is the need to carefully monitor users' behaviour — a reactive control.

Scholtz said that things will go wrong, so it's important to immediately identify when users abuse the trust given to them and deal with this on an individual basis. Dealing with these users doesn't necessarily mean removing their access on the first instance of an infraction, however. Scholtz advocated for further education for users that do not understand the consequences of their actions, and then removing the offending users' access for further infractions.

For those brave enough to try to implement PCS, Scholtz recommended finding executive buy-in, and starting small.

"Roll it out slowly, and monitor and track and define and develop as you go. This is probably not something that you want to do — a major revolutional type of implementation. Start small and get some experience."

Topic: Security

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The overcontrol never worked anyway.

    When you lock things down so tight that users have to bypass the security rules just to do their job... security goes completely down the drain.

    This has always been known.
  • NO, NO, NO

    Fail implementation does not equal a failed approach. Proper awareness, training and education is required for good security. If employees are taught the what and why of the security measures then they should follow them. IT security staff also need to be open and talk to employees to ensure policies don't interrupt use cases. Communication is critical. Less security is always bad. Besides internal threats are more common than external.
  • Not less security, but BETTER security

    The problems I've seen and experienced are not related to the amount of security. The problem is poorly implemented security procedures.
  • Make peace, not war

    I surrender my security controls and put it in the users hands....NOT
  • Good to see some intelligence being used ...

    I had until two years ago a dozen accounts on as many systems; half a dozen were considered independent high-security facilities. All the high-security ones required long passwords, mix of ascii and special characters with minimum numbers of each type, and change every three months. And we were forbidden to use the same password on them, write them down, or store them on hardware -- especially flash drives.

    Obviously, we all followed the restrictions to the letter. :-)