Killing off security controls to reduce risk?
Last week, I was at the Gartner Symposium in Orlando. It was a great week (albeit information overloaded), and I am still processing all of my notes and new learnings. One session I attended has really stuck with me – it was Tom Scholtz’s session called “Kill Off Security Controls to Reduce Risk.”
This topic is part of the “Maverick” research track that Gartner is cultivating, and I must say it is thought-provoking. During the session, my Spock brain was saying “No – illogical,” while my Kirk brain was screaming, “YES! YES!”
A different focus for our Security strategies
Here is the premise: Tom believes we will move away from security strategies that center on systems & data, to a strategy that has people as the focal point – a concept he refers to as “People-Centric Security,” or PCS (yeah, I know – there aren’t any 3-letter acronyms that haven’t been used…)
Here is a diagram Tom uses to illustrate the principles underlying PCS:
While I agree with some of Tom’s assertions in this model (i.e. perimeter-centric security is doomed, we need to find ways to be more agile / flexible rather than more restrictive / heavy-handed), I don’t see how it will radically change the number of controls we’ll need to be effective. After all, even in this approach, we need to “trust but verify,” which implies controls.
I think the shift will be in where we apply controls, not whether we apply controls or not. We’ll still need policies to set expectations, and detective controls to determine whether our expectations are being met. Detective controls will also create the “facts” we can use to confront individuals who are behaving irresponsibly around our data and infrastructure.
I see some good side effects from this kind of an approach:
- Organizations will have to get better at defining and communicating what is expected with regard to security practices;
- Organizations will have to get better at communicating their expectations and rationale to the individuals within the organization (after all, how can you hold them accountable without context?);
- Organizations will have to do more to establish a “culture of accountability” to create behavioral change.
However, there are also down sides I can envision:
- I think people may end up finding out what the expected norms are only after they screw something up;
- This approach, if not accompanied by consistent, clear policies, could result in some very subjective interpretations of the rules which could cause unexpected “uh oh” moments, particularly in the early days;
- I can see some organizations using this to “weasel out” of their responsibilities;
- For example, in the first column, you see that “owners are accountable for protecting their information. That is all well and good, but if you outsource to a third-party, you’d better be careful you don’t accidentally absolve them of any responsibility for taking care of your data.
I’m just scratching the surface here, but this is an area I am going to watch closely. There are enough experiments in play to give this movement some credence, and give us some implementations to observe and learn from. For example, here are some projects that Tom cited:
- Rabobank’s “Unplugged” initiative in The Netherlands takes an approach that is very PCS-like;
- Many European countries have removed some of their inter-country controls and borders via the Schengen Agreement;
- Hans Monderman’s “shared space” approach, which is perhaps the most intriguing, in which cars, bikes and pedestrians share an area with almost no signs or other traffic controls.
I’m actively looking for a parallel in our logical security world and seeking answers which will satisfy both the Spock brain and the Kirk brain in my head. This is a challenging (and entertaining) puzzle to solve, in my opinion. What do you think?
If you are a Gartner client, I encourage you to download Tom Scholtz’s brief on this topic and join in the discussion.