User behaviour accounts for over 50% of information leaks, yet traditional security systems have failed to address this issue. The fundamental reason for this is the treatment of users as “kids” within such systems. This has resulted in teething security challenges relating to data classification, lack of top management commitment and a high rate of false hits to name a few. It is time to trust users and move away from the current approach of restrictive controls across the organization, where security is the job of the IT/security department, to a new approach where security is a user responsibility and tools are put in place to enable them to protect information and verify that they do so. This new approach, championed by Tom Scholtz of Gartner, is called People Centric Security (PCS). PCS assumes that most individuals inherently want to behave in an appropriate manner for the benefit of the business rather than being inherently “Evil”. PCS moves from a Control Centric Security approach to one that is based on trusting users to do the right thing and verifying that they do so.The increased rights and responsibilities of users and the changes in monitoring philosophies under PCS are governed by seven principals, as defined by Tom Scholtz , which are:
1. Accountability 2. Responsibility 3. Autonomy 4.Immediacy 5. Community 6. Proportionality and 7.Transparency
Principals of PCS Powered by e-Safe Compliance
ACCOUNTABILITY - ENABLES OWNERS TO BE RESPONSIBLE FOR PROTECTING THEIR INFORMATION
e-Safe Compliance, through user empowerment, makes the information owners accountable for the protection of information they are responsible for by creating roles for them in the system. Using these roles, they can now classify the information themselves and, more importantly, define how it should be used. Information owners receive reports on the usage of their information and can make the call if it is not used appropriately.
RESPONSIBILITY - SHARED RESPONSIBILITY LEADS TO HIGHER SECURITY
e-Safe Compliance does not adopt a blocking approach to security but instead adopts a more flexible monitoring approach based on responsible use of information. Under this approach, the usage of information is based on the sensitivity of the information as defined by the information owners. However, the users are allowed to make a judgement call and are held responsible for their actions. The approach uses a fundamentally different implementation approach of the traditional technologies of user behaviour analytics and employee monitoring tools
AUTONOMY - MORE FREEDOM THROUGH TRUST AND SELF-GOVERNANCE
e-Safe Compliance fosters a culture of Trust and Self-Governance among the staff. Users make the call on the usage of the information based on their responsibilities. For example, a finance executive working on a last-minute, next-quarter financial could decide to take it home via USB drive or Dropbox as long as he gets authority to do so from the information owner, the CFO in this case. The finance executive knows that if he does not do that, the CFO will receive the report of his activity and might start an enquiry.
IMMEDIACY - USER EMPOWERMENT REDUCES DETECTION TIME AND IMPROVES USER EDUCATION
The primary focus of empowering the users by using e-Safe Compliance is to reduce the “Detection Time” of a transgression. By decentralising the reporting of transgressions to people who understand the sensitive information, it is ensured they are picked up quickly and remedial steps can be taken immediately.
COMMUNITY - FOSTERS A CULTURAL CHANGE TOWARDS SECURITY
One of the biggest challenges faced by security teams is to develop a culture of security in the organisation. Through decentralisation of security roles and responsibilities, e-Safe Compliance ensures all users starting from top management to junior executives are involved in the decision-making and are responsible for how the information should be used and processed. The added responsibility upon the management ensures that they lead by example for their teams. This facilitates an overall cultural change in the organisation towards security.
PROPORTIONALITY - FOCUSED MONITORING VIA DATACENTRIC SECURITY
The freer handling of the information due to greater autonomy allowed under PCS is verified using e-Safe Compliance’s advanced monitoring features which are proportionate to risk involved. e-Safe Compliance works on the principals of total visibility of sensitive information and Data-Centric security. Unlike many existing security technologies which either block or allow an entire medium, e-Safe Compliance focuses on protecting the data while giving total visibility to the responsible users. This ensures users are not burdened by unnecessary security but still have the flexibility to do get their job done.
TRANSPARENCY – BUILDS TRUST AMONG USERS
e-Safe Compliance is built on the philosophy of TRUST BUT VERIFY. All monitoring is done in consultation with the specific departmental heads and information owner groups
Try Now. Its fast and easy!!!
You can try e-Safe Compliance using our cloud servers or have it on your premises. It only takes a few hours to install and you will immediately get endpoint visibility without any noticeable impact.