IT security is typically a building process. When a threat is recognised, a new solution is implemented to counter it; when a hole is exposed, the gap is plugged. Of course new innovation focuses on stripping back some of the layers to produce more streamlined defences, but generally the journey is one of constant accumulation, with one solution stacked upon another to shore up our networks.
This, however, is a status quo that some industry analysts believe is stifling, and ultimately, counter-productive. A radical new proposal, borne out of Gartner’s 'Maverick Research' programme, has challenged the traditional mindset of IT administrators by suggesting that killing off security controls and placing more trust in the employee can actually reduce overall risk.
“The essence of this proposal was that maybe in security we’ve been too controlling,” said Gartner’s Research Vice President Tom Scholtz at the group’s Identity and Access Management Summit in London last week. “Maybe if we start looking at doing things differently, we could start reducing some of the security controls and actually end up with fewer threats.”
Scholtz (below) argued that the average workforce is treated too much like a group of children when it comes to security, with a catalogue of rules and restrictions not only hampering autonomy and creativity within an organisation, but also provoking people into circumventing blocks and causing unnecessary problems. The Gartner expert said companies who have reduced security controls in the past have actually found detecting threats easier as a result, because the “noise” of more innocuous data breaches from employees is cut out, making serious hacking incidents from outsiders easier to identify.
The shift in approach is driven by putting people at the centre of the security structure, instead of current systems which typically have people on the periphery of a control-centric model, where power lies in the infrastructure rather than the employees. In practice, the change would see individuals given the ability to decide how and when they access ICT systems and data; the responsibility of protecting what they access; being accountable for their actions and decisions; and being obliged to report suspicious behaviour in the network.
Scholtz believes security is stronger when people are actively thinking about what they do. He used the comparison of traffic systems that have been trialled in Europe where lanes and barriers are removed to place more emphasis on the actions of the drivers and pedestrians, and accidents have actually decreased as a result. Using examples a little closer to home, Scholtz said successful tech phenomena like open source software and cloud computing relied on similar principles. With the former, software like Google’s Android OS has flourished thanks to steady collaboration from its developer community, while use of the cloud requires a strong degree of personal trust in the cloud provider. Having a precedent of technology systems thriving as a result of human co-operation and faith in the individual suggests Scholtz’s hands-off security concept has a more realistic chance of success than you would initially think.
Despite the freeing up of controls and bureaucracy being at the core of the proposal, it is nevertheless recognised that a careful system of monitoring is required to keep the system on the rails. Scholtz was keen to highlight that the plan shouldn’t produce a “Wild West” scenario, and that “it doesn’t mean that there’s no rules… Monitoring is going to be important and we are not saying that we completely remove all controls.” He also emphasised the importance of education in the process. Employees would have to be well informed if they were to maintain the system effectively, and security responsibility would be scaled up and down depending on the knowledge of the individual.
Even as Scholtz outlined the practical measures that reined in the more abstract areas of his security vision, some audience members remained sceptical, forcing Scholtz to admit a certain degree of idealism had come into play in the making of the project. He also said it would take a fair amount of discussion with senior level figures before it could be brought into an organisation, joking that “You don’t want to spring this as a surprise on your executives. That’s a sure way to get yourself fired!”
But the sense of risk hasn’t perturbed everyone and Scholtz claims he currently has “four or five organisations that are implementing some of these principles.” By the end of 2013, he was confident a strong collection of case studies would have been compiled, demonstrating the hands-off strategy in practice. A suitable trial scenario would be within a bring-your-own-device policy, Scholtz argues, as BYOD already constitutes reduced constraints and greater individual responsibility – suggesting strong compatibility with the free-flowing, people-oriented model of the Gartner Maverick Research programme.
Convincing IT administrators to loosen their grip on the network and persuading organisations to implement this security approach will no doubt be a long term project for Scholtz and his peers, but in a world where the cyber criminals are outsmarting enterprises with increasing regularity, a more radical change of tactics could well be what’s needed.