People-Centric Security: Introduction
If you see a company's budget you'll see that security won't be as big as development or information technology. With information technology you can develop more applications and let systems more stable, but security needs something to protect in order to work. And it is financially crazy to add one security guy to every developer or system engineer. That's why security personnel don't scale. At least don't scale as security would like.
The solution for that is to share the burden of protecting data and systems with those other departments. Security needs to create and manage security policies to afterwards evangelize them to other parts of the organization in a language they could understand. It's about education. And education is persuasion, persuasion is teaching and teaching is selling.
But how to start a people-centric security program?
As we're talking about people and the environment surrounding them, a good place to start is to learn from what have been done before in terms of educating employees and adjusting the environment so everything goes smoothly. There are frameworks from 1983 that may come to your aid. It's really an old topic.
Gartner, the acronym and expression creator in the technology industry, shared some lessons on how to implement a people-centric security approach, along with the following framework:
According to them, these are the key lessons learned:
- Ensure that the appropriate enterprise environment exists. It must be a culture of trust. People-Centric Security isn't a tool for initiating cultural change;
- Select an appropriate target domain for the implementation;
- Consider the technology opportunities that can be used to facilitate People-Centric Security;
- Investigate the potential legal and HR issues.
On top of that I'd like to also recommend the book People-Centric Security: Transforming Your Enterprise Security Culture, from Dr. Lance Hayden, which seems to go deeper on how to derive a people-centric security framework from existing organizational frameworks, how to use surveys and questionnaires to your advantage and more.
That's all for today.