Speaking at the Gartner IAM summit in Westminster, London on Tuesday, Scholtz opened by saying that treating employees like responsible adults can have a positive effective, not least in reducing the risk of insider threat but also in helping IT departments to more closely monitor external threats attempting to breach the corporate network.
Scholtz – a research VP of Gartner who specialises in security management - was of course primarily talking in relation to identity management but his comments, to an audience of security professionals including CISOs, were directed more generally at IT security.
He urged attendees to treat people as the “most powerful agent in the security infrastructure”, instead of treating “them like children” – an approach which futurologist Peter Cochrane says that often results in people acting in an immature way (he says: “If you treat people like children, they will behave like children”)
“97 percent of people want to do the right thing so why treat them like the criminals trying to attack us from the outside?” asked Scholtz.
As part of this, the Gartner exec said that companies should move towards to a people-focused environment, with less preventative controls, less bureaucracy and less focus on policy/compliance. Ant Allan agreed and said that – while primarily authentication remains key – there shouldn't be a desire to “nail everything down to the nth degree”.
By doing this, both Gartner analysts argued that people-centric identity management can improve staff morale, the agility of a team, save money and can help companies to use IT to achieve their business objective. “This is hypothetical, but the probability of [this] improving security is not pie in the sky,” claimed Scholtz.
To illustrate, he cited one unnamed company which had implemented a security environment where they didn't unnecessarily circumvent job controls, freeing up employees to get the job done. What they found, Scholtz says, was that IT departments had to filter a “lot less noise in the monitoring environment”, allowing them to focus more on malicious outside threats.
“When they were monitoring an environment, or detecting an incident – there was a much higher probability that it was a security problem. Ironically, they ended up with better security even though [IT] had less controls.”
Another company, a large industrial firm, gave users more access to an enterprise resource planning (ERP) system than they really needed. “The lesson learnt was that people could be trusted, they could be given more access than they needed and wouldn't abuse it,” said Allan.
It's an approach born out of the “Shared Space” research from Hans Monderman, who helped build quiet areas in cities, with the aim of fewer accidents. Moderman stripped out traffic lights, signs, crosswalks and lane markers, with the intention that pedestrians, motorists and cyclists would be able to negotiate through streets by communicating with each other.
Scholtz believes that the same model could work in the security space, with users forced to make their “own risk-based decisions”.
You can still keep the bad guys out
Both men were keen to stress that affording more controls to the end user isn't about relaxing security, but simply about trusting them enough to do the right thing. And should they betray that trust, Scholtz still urged companies to be strong if need be.
“Obviously, you've still got to keep the bad guys out – we need to make sure employees have the knowledge and skill to behave in the right way. If people do misbehave, punish them effectively for the individual. Weak leaders are too scared to punish the individual,” said the analyst, adding that such leaders would often block access for a whole department.
“I am not saying that this [approach] suits all enterprises, but it can work in the right environment.”
Allan added that this would likely be down to establishing a baseline a trust, a need to protect the critical things, and urged companies to look to monitoring tools – like SIEM and big data security analytics, as well as recognition and authentication technologies, such as biometrics and voice recognition.
Allan concluded: “Corrective controls don't go away – you still have to monitor – but it's about being more focused on services rather than restricting an organisation and stopping it working.”