As data breaches increase globally in both severity and frequency, business leaders are realizing that achieving better security outcomes requires a significant shift in the traditional mindset and approach.
It is all too easy to point to examples of massive cyberattacks in which malicious actors managed to move freely through internal systems once they gained access behind corporate firewalls. The traditional castle-and-moat approach to security quite simply isn’t up to the task of dealing with the current threat landscape.
This is a large part of the reason why resources such as Forrester’s “Zero Trust Security Playbook For 2019” are attracting so much attention. As a security concept, zero trust is based on the principle that organizations should never automatically trust anything inside or outside their perimeters. Instead, they must verify everyone and everything trying to connect to their systems before granting access.
When successfully implemented, the zero trust framework can be a positive step toward building resilience. However, beyond the difficulties involved in applying it to legacy systems, zero trust also shares one of the same shortcomings as the castle-and-moat approach: It relies on a duality of technology and architecture to achieve target security outcomes without really considering how the security framework fits into a wider organizational system of dynamic business interactions.
More importantly, the role of people — and particularly the role of the wider pool of nontechnical talent — isn’t considered relevant in the journey toward better security outcomes.
Thinking About Security as a System
While the thinking around architecture and the trust-bias toward technology may be shifting, many IT and security professionals still have a long way to go when it comes to learning to trust nontechnical colleagues and stakeholders from outside their immediate circle.
Technical specialists often lambaste users for their alleged stupidity, carelessness, cluelessness, etc. But there is very little introspection in IT and security circles about why it is so easy for users to make mistakes. Could it be that the tools and processes that users interact with are unnecessarily cumbersome and actually conducive to misuse and error? Is it really hard to believe that perhaps the underlying security program design is also at fault, not just the human element?
Don’t Lose Sight of the ‘Why’ of Security
Maybe the time has come to retire the old perception that humans are the weakest link and represent the greatest risk in a security program. Have we forgotten why we’re doing security in the first place?
The “why” is not about protecting the network; it’s not even about protecting the crown jewels.
The “why” is about protecting what the network enables and safeguarding what the crown jewels represent. While the specifics will vary from business to business, fundamentally what we’re talking about is protecting the integrity of people, their assets and their foundation of trust — in other words, their ability to live their lives freely in the secure physical and financial conditions of their choosing.
From Weakest Link to Precious Resource
Contrary to the default specialist position that tends to reduce the human element in security to the role of nuisance risk-factor, let’s remember that without customers and internal users there would be no business — and without a business, there would be no need for IT or security in the first place.
We need to stop trying to circumvent people and instead start trusting them to play a key role in operationalizing security as a system. The time has come for us to work with people instead of around them with the benevolent assumption that, given the right conditions, they will be enthusiastic and motivated to actively engage in protecting their company and, by extension, their livelihood.
Imagine how differently employees might behave if we talked about them and to them in a more positive way about security? How about inquiring more deliberately about how we might go about leveraging people’s decision-making and action-taking capabilities to create another layer of resilience that makes the business more secure?
When you consider the human element, focus not on the potential for a catastrophic security failure, but on trusting people to act as a strong line of behavioral and decision-based defense. Think of what our people could achieve if we gave them training, opportunities and an environment to empower them at different levels inside an enterprisewide security organization.
Is it not worth trying to nurture the rich potential and diversity of people’s competencies instead of decrying their flaws? You can even take it a step further by rolling out a structured, scalable and repeatable program for identifying and nurturing their dependability, resilience, energy, adaptability and commitment to learning how to consistently do the right thing in every circumstance, even the most unforeseen.
Design Your Security Program to Better Serve the Business
If our experience to date has taught us anything, it’s that security outcomes will remain suboptimal for as long as security subsists as a self-contained discipline operating in tech-driven autarchy.
We should aim for a holistic model of adaptive security that delivers high business impact. To do that, we need a ubiquitous set of dynamic capabilities that operate as a system, fluidly and fully permeating the primary system that security exists to serve: the business.
Bearing in mind that rogue actors are the exception not the rule — and assuming that people essentially come to work wanting to do a good job as they search for autonomy, mastery and purpose — how might we go about designing a security strategy with better outcomes in mind for all our users, from the most technical to the least technical, from the custodian to the CEO?
The goal of any security program should be to democratize security as a central enabler and focal point for human-led endeavors in the enterprise, thereby breaking the false dichotomy that places security in hostile opposition to the very stakeholders it is meant to serve and protect.
The time has come to think differently about the role of human talent in a security-as-a-system environment so we can design differently for better collective outcomes.
What we need to do now is mobilize and move forward — together.
Senior Managing Consultant, IBM Security