People-Centric Security: Introduction
If you look at a company's budget, you'll notice that security isn't as prioritized as development or information technology. Information technology allows for the development of more applications and ensures system stability, but security requires something to protect in order to be effective. It would be financially impractical to add one security personnel for every developer or system engineer. That's why scaling security personnel is challenging, at least in the way security would prefer.
The solution to this is to share the responsibility of protecting data and systems with other departments. Security needs to create and manage security policies and then educate the rest of the organization in a language they can understand. It's about education, and education involves persuasion, teaching, and selling.
But how do you start a people-centric security program?
Since we're dealing with people and their surrounding environment, it's a good idea to learn from past experiences in terms of educating employees and creating a conducive environment. There are frameworks dating back to 1983, such as the Competing Values Framework, which can be helpful. It's an age-old topic.
Gartner, a leading authority in the technology industry, has shared some lessons on implementing a people-centric security approach, along with the following framework:
According to Gartner, here are the key lessons learned:
- Ensure the appropriate enterprise environment exists, one that fosters a culture of trust. People-Centric Security is not a tool for initiating cultural change.
- Select an appropriate target domain for implementation.
- Consider the technological opportunities that can facilitate People-Centric Security.
- Investigate potential legal and HR issues.
Additionally, I would recommend the book People-Centric Security: Transforming Your Enterprise Security Culture by Dr. Lance Hayden. This book delves deeper into deriving a people-centric security framework from existing organizational frameworks, utilizing surveys and questionnaires to your advantage, and more.
That's all for today.