Can removing security controls actually make businesses safer?

In an almost Darwinistic approach to security, one Gartner researcher believes that decreasing rather than increasing policy and controls might be the answer to the security status quo.

Although counter-intuitive, Gartner research vice president Tom Scholtz believes that for some organisations, removing restrictive policies and controls could save the business money, or even improve its security.

Speaking at the Gartner Security and Risk Management Summit in Sydney on Monday, Scholtz said that the current status quo of security is simply not cutting it, and suggested that the answer to improving the situation might be removing, rather than increasing, the number of controls that are in place, since they simply aren't working.

"I'm pretty sure that we have lost the race in our attempt to throw controls at everything. Just look at what's happening with mobility, mobile device management, and bring your own device [BYOD]," he said.

Scholtz further added that 24 months ago, when he spoke to security professionals about BYOD, they said that they didn't want mobile devices in the workplace. Today, however, he says that these are the very people in the boardroom holding their tablets.

Scholtz explained that the reason why controls aren't working is because they rarely ever speak directly to the individual user, and they don't scale to the way that people use technology today. He pointed out that many employees don't know why certain policies have been formed, and that the majority of them would likely comply with security warnings if they knew what dangers prompted policy decisions in the first place.

Removing or relaxing these policies and controls, however, could help speak to each user by making them personally responsible for their actions. He pointed to the use of "shared spaces", popularised by Hans Monderman, where vehicles and pedestrians use the same road or footpaths, sometimes with little to no markings or signage. Although the idea might seem dangerous, actual applications in the UK have been argued to be safer, as pedestrians and drivers pay much more attention to their environment.

Scholtz believes the same concept could be applied to certain organisations that are mature enough to build a culture of being security minded. Scholtz calls this people-centric security (PCS), as the security relies on people at its core. However, he stressed that there are some significant challenges.

Key to the concept is ensuring a change in workplace culture. This means it is imperative that everyone from the CEO level down buys in to the idea. It also eliminates certain organisations that have regulatory or compliance requirements that do not consider workplace culture a sufficient security measure.

Furthermore, Scholtz said that it is certainly not a replacement for defence in depth, as PCS primarily looks at improving security from the inside. Similarly, controls are almost never completely eliminated. But they are reduced where possible, and a focus is placed on reactive controls rather than preventative ones.

PCS is a relatively new and controversial approach to security, but there are a number of requirements to making it work correctly. One such requirement is the need to carefully monitor users' behaviour — a reactive control.

Scholtz said that things will go wrong, so it's important to immediately identify when users abuse the trust given to them and deal with this on an individual basis. Dealing with these users doesn't necessarily mean removing their access on the first instance of an infraction, however. Scholtz advocated for further education for users that do not understand the consequences of their actions, and then removing the offending users' access for further infractions.

For those brave enough to try to implement PCS, Scholtz recommended finding executive buy-in, and starting small.

"Roll it out slowly, and monitor and track and define and develop as you go. This is probably not something that you want to do — a major revolutional type of implementation. Start small and get some experience."