Putting people at the centre of enterprise security

In security, people are the weakest link. CIOs must therefore educate and empower employees to understand the risks and make better security decisions -- and executives must lead by example.
Written by Stilgherrian , Contributor

"We are facing a cultural disconnect of epic proportion. Executives believe that IT risk and security is a technical problem," said Paul Proctor, Gartner's chief of research for security and risk management. The result, he said, is that executives think they can deal with security simply by hiring the right people and giving them money -- but not too much money.

Those executives are wrong, of course. Security is a people problem. It always has been. It's people who end up making poor security choices and putting the enterprise at risk, whether that's through poor training, security policies that get in the way of them getting their job done, or even just poor management leading to overwork and inattention.

Yes, those executives are wrong, but they're not solely to blame; CIOs and CSOs are also guilty.

"We're as much to blame as executives for this situation," Proctor said. "Executives really should understand and appreciate this problem better than they do. But our problem is, we're not helping them. Many of our behaviours, the things we do, perpetuate this disconnect."

Proctor was speaking at Gartner's Security and Risk Management Summit in Sydney back at the end of August, where the consulting firm promoted its ongoing narrative for understanding the changing risk landscape, and its strategy for addressing the disconnect. It's been pushing the message hard ever since.

Gartner's narrative begins with the idea that every business is becoming a digital business, where profitability is derived from the flow and management of digital information. That means business risk is really what Gartner is now calling "digital risk" -- and it's not only traditional business data that could be at risk, but also customers' personal data.

The car-hire services Uber and Lyft are obvious examples of digital businesses. They connect customers to drivers through a smartphone app, leaving it to someone else to handle the messy business of providing a physical road vehicle and steering that collection of atoms through the city streets.

But an insurance company could also fit the description. The Internet of Things (IoT) means that car insurance rates could be negotiated on a per-journey basis -- once your smart car has told it about your driving habits, your smartwatch has told it how little sleep you've been getting and, perhaps, even that your movements indicate that you might have been drinking.

"This is not about information security anymore. Digital business is blurring the physical and digital worlds," Proctor told ZDNet.

"Digital risk is not 'Did we encrypt the link between the device gathering how many steps you took and our server?' That's traditional information security. We're talking about the issue [of] 'What are we doing with this information? Is it enhancing our business? Is the risk worth it? Is there a regulation in a country that says you can't do that? Are they going to arrest our CEO when they land in that country?'"

Digital risk is about taking a holistic view that includes the emerging issues relating to IoT, and even physical security, as well as traditional IT risk and operational technology (OT) risk -- and, as an aside, it seems that few businesses understand OT risk.

The financial disaster at Knight Capital Group in 2012 is a clear example. One of Wall Street's leading trading companies, Knight processed an average of $3.3 billion in share trades daily. But one morning, a botched upgrade of its trading software led to it issuing a flurry of erroneous orders on the New York Stock Exchange. The result? The company lost $440 million in just 30 minutes.

"Digital risk is different when your entire company is based on [the] Internet of Things. You may actually care about that," Proctor told ZDNet.

"Power companies, very dependent on their SCADA systems that keep the generators and all the different aspects of power generation going, if those things fail, they go out of business. Well, those things have never been connected to the internet. They haven't had 1,000 sensors on them that could be compromised."

How security killed innovation

"The harsh reality is that our employees do not have a sense of personal responsibility when it comes to risk management and technology, and, as a result, decisions made by a single employee can pull the foundation out from under your entire business," said Gartner research vice president Andrew Walls.

"We have discouraged them from taking responsibility for risk management. We did this by taking away the ability of employees to control their own security. We installed endpoint controls, and we removed administrator privileges."

Those standard practices did improve endpoint security, but they also disenfranchised employees.

"We rarely communicated with employees, and most of our communications were irrelevant to their work priorities. And we said 'No' a lot of the time. We denied employees the ability to try new approaches, driving them away from the IT organisation, and discouraging their efforts at improving enterprise operations. We have lost solid risk-management reasons for doing all of this," Walls said.

Walls argued that successive waves of technology, each more personal than the last, have turned ordinary employees into power consumers of computing capabilities that have outgrown the scope of the IT organisation. From Commodore, Atari, and Apple II, through PCs to smartphones and tablets, to mobile services and the cloud.

"Innovation takes place at the edges of organisations, and innovation is critical to long-term success of our enterprises. But that innovation disrupts the careful plans that we make for risk management," Walls said.

"We have encountered some unintended consequences. First, a security team that is considered a nuisance, and out of touch with the rest of the enterprise. Employees that actively ignore or work against security and risk-management priorities. And lastly, managers that work to avoid IT and security involvement in their projects," he said.

"This situation is bad, because it erodes our ability to manage risk on behalf of the enterprise. We need to change it, and we need to provide real support for business progress."

Introducing PCS: People-centric security

The core framing message of Gartner's Security and Risk Management Summit was people-centric security (PCS) -- structuring your security strategy and processes about people's innate humanness.

"It is a model based on the social sciences that puts an emphasis on incentivising people to do the right thing. Gamification makes things fun so people do it, [but] this is not gamification," Proctor told ZDNet.

"It's about setting up your controls in a manner that motivates people because they have something to lose. I give you certain rights and responsibilities. I give you the ability to use your personal device to get corporate email on it, but I also tell you don't put a bunch of company sensitive information on that."

A light-touch approach to monitoring user behaviour means that beaches of the rules are detected. Employees are encouraged to follow the rules, because losing the privilege of accessing their email remotely means they'd be tied to their desk.

Proctor compared PCS with the urban design approach called shared space, which in its modern form was pioneered by the Dutch road traffic engineer Hans Monderman. By removing traditional traffic management features such as signs, road markings, and even curbs and regulations, the accident rate was actually reduced.

"The individual was motivated by the condition to say, 'I need to pay attention to what's going on'," Proctor said.

"It's not a panacea. It's not like you're going to replace all of your stuff. But we're not talking about posters and mouse pads that tell you security is important. We're talking about setting up situations where people go, 'I need to do the right thing here, because it's in my interests, it's not just somebody telling me what to do.' That's the big revelation on people-centric security."

Gartner's people-centred security framing contrasts with the data-centric framing promulgated by Websense and some other vendors -- but that's really just a matter of perspective, according to Eric Stevens, information security and strategy officer in Websense's Office of the CSO.

"The data really has to be the perimeter. We have the capability now to identify the data, where it rests, where it's moving, etc, but also behaviourally to look at how it's being used, where it's going, and contextually looking at the users inside the organisation, and what their specific permissions for the handling of that data really need to be," Stevens told ZDNet.

It's important to consider security from the perspective of the data, but a company is made up of people, and people need the data to do their jobs.

"Looking at it from the people perspective is really [about] the behavioural aspect of how they're using that data -- educating them, giving them what they need so that they can then make good decisions on what to do with that data. Your employees can be a huge amount of risk, based on that handling."

Employees also have to be given systems that they can live with, and that don't impact business profitability by decreasing their performance.

"Sometimes, the morale hit is huge when you put in some of these security controls. I have seen people leave companies just because of technology that was put in place to secure something," Stevens said.

"Employees don't like to be monitored, they don't like to think of it that way, and so you have to really communicate with them sometimes that these systems are protecting them from violating a policy."

Making the change to PCS

"Supporting innovation in the digital business requires that employees take more control and responsibility for security and risk management," said Gartner's Andrew Walls, who thinks that message is so important that he said it twice.

But how would that work in practice? After all, employees sit through security awareness training every single year, yet they still make bad security choices.

"When a piece of technology consistently fails to perform in the way we desire, we generally redesign the technology. In the case of security education, we keep doing the same thing every year and expecting different results from our people. You must take responsibility to change the purpose of security training and communication for your organisation," Walls said.

"Don't wait to be told to do it. Don't ask for permission to do it. Just do it."

It's impossible to predict every situation an employee might encounter that could involve a security risk decision. Influencing their behaviour is therefore a process that extends far beyond the realm of security training.

"It starts with education, but it also requires all of us to become -- is everybody sitting down? -- marketers. Yeah, we need to market security behaviour toward people," Walls said.

"Our job is to make the good choice more attractive than the bad security choice."

Walls provided a few hints for implementing a PCS.

He recommended examining the entire enterprise, and changing anything that drives the wrong choices -- "for example, we need to stop rewarding people for taking unacceptable risks," he said.

His next tip was to use culture to drive good behaviour, and engage in advertising, storytelling, peer pressure, peer recognition, and, most importantly, consistent leadership.

Executives and IT personnel must consistently demonstrate good security decisions and choices -- "You must convince them to lead through example, or, at a minimum, sponsor the development of a culture of risk management. They cannot be bystanders," Walls said.

"You can't change all employee behaviour at once. You have to pick your battles, based on your own risk priorities, and change your enterprise in increments," he suggested.

Organisations need to be smart about prioritising. That means using formal risk-assessment processes, not just reacting to whatever management currently finds scary.

"For many of you, priorities equals chasing threats. Why are you all investing so heavily in APT detection? In part, because it's the threat du jour," Walls said.

"All the big threats take their turn. Endpoint vulnerabilities. Malware. Application vulnerabilities. Sensitive data stored where it doesn't belong. Insider threats -- thank you, Mr Snowden. And now, nation-state hacking. The show floors at security conferences are barometers for the threat and technology du jour. It's the year of PKI, any day now. It's the year of IDS -- wait, IPS sorry. It's the year of SIEM. It's the year of DLP. And now, it's the year of big data analytics."

The right way to set priorities is to start with the basics, Walls said.

"Patch and update. Good fundamental policies. Security education. Encryption where it's warranted. Serviceable perimeter protection. Plus some identity and access management. This addresses 80 percent or more of your risks. And once you've got those basics covered, smart organisations prioritise using a formal planning process based on risk assessment."

An organisation's security culture is what will save it from a security disaster, not technology.

"Every employee needs to be thinking about security the same way they think about brushing their teeth each morning," said Jason Brown, national security manager for defence contractor Thales, at the Security 2012 conference in Sydney. The tips for developing a security culture presented at that conference by Nicholas Martin, director of risk-management consultancy Occams Razor, parallel Walls'.

Partnership leads to success

Security decisions are about risk, as we've said, but unfortunately, Australian organisations don't necessarily have a good understanding of managing IT security risk as part of a broader operational and technology risk-management process. Consultations between the Australian government and industry have revealed a patchy security landscape.

"The key fundamental thing that we notice between the companies we think have reached a relatively high level of cybersecurity maturity and those that haven't is this issue about understanding the value of the information," said Mike Rothery, first assistant secretary in the National Security Resilience Policy Division of the Attorney-General's Department.

The organisations where risk management is well integrated are those where there's a good dialogue between executives and CISOs, based on a common language for the dollar value of risk.

Walls agrees that it's about partnership.

"It's clear that security and risk-management programs that enable business innovation and progress are those that engage with enterprise colleagues as partners, focus on exceeding enterprise expectations for digital performance, and learn the business well enough to anticipate the innovations that the enterprise needs tomorrow. Anticipation means that you're not surprised by, for example, the popularity of Dropbox, because you already understand the existing roadblocks to business performance," he said.

"All of us must expand our focus beyond operational control and into an advisory capacity, and we need to be willing to abandon legacy tool sets in favour of new approaches."

Editorial standards