Large organisations spend billions every year trying to secure their workplace environments. Would they be better off ditching most of that expenditure?
Security picture from Shutterstock
That idea was raised by Gartner analyst Tom Scholtz during a presentation entitled ‘Kill Off Security Controls To Reduce Risk’ during the Gartner Enterprise Architecture Summit in London, which I’m attending as part of our ongoing World Of Servers coverage.
Scholtz noted that the dictatorial nature of enterprise security was frequently counter-productive. “It often results in contempt,” he said. “It’s not a very sustainable sort of environment.”
To be completely fair to Scholtz, he emphasised repeatedly that this argument formed part of Gartner’s ‘maverick’ strain of research — ideas which are deliberately provocative and which haven’t been formally tested and proofed to the same level as Gartner’s more commercial research. This idea is to stimulate discussion, not to lay down concrete workplace proposals.
It’s also worth noting, as I have in the past, that individuals who believe they can avoid any form of security issue because “I know what to do” are generally on a hiding to identity theft. The odds overwhelmingly suggest that you don’t know how a rootkit works.
With that noted, there is a lot to be said for avoiding security for the sake of bureaucracy, and identifying threats rather than frantically trying to block everything. “I review a lot of policy documents and some of them can be fairly clunky and substantial,” Scholtz said. “We could potentially save a lot of money and boost staff morale.”
“It’s not cost effective to eliminate all the risk,” Scholtz said. “At the moment, we’re impeding the behaviour of the 98 per cent who want to do the right thing because of the 2-3 per cent who want to do bad things, and maybe that’s the wrong way.”
Thoughts?
Lifehacker’s World Of Servers sees me travelling to conferences around Australia and around the globe in search of fresh insights into how server and infrastructure deployment is changing in the cloud era. This week, I’m in London for the Gartner Enterprise Architecture Summit, looking at how to plan and deploy your overall enterprise architecture for maximum business value and efficiency.
Comments
3 responses to “Would Your Workplace Security Improve If You Killed Most Of It?”
Three words: Duty of Care
It only takes one disgruntled employee or one external breach, and if it can be shown you failed in your duty of care to put adequate security measures in place, you expose your business to litigation.
Chances are if it’s an employee – they are someone that has been granted such access already, meaning it makes little difference to the end result.
I agree with this to some degree, for example one of our application servers currently requires 3 passwords just for one simple operation, when access is already internal only – and everyone who uses it is required to know all 3, which haven’t changed in 10 years..
In the end of the day it’s really more of an illusion of security than actually aiding anything. I’m all for security.. Where it matters.
The short answer to the headline: “No.”
Workplace information security practices belong to a category where implementation needs to be carefully executed, and continuously improved. “No security” is one end of the spectrum where @single_malt above has succinctly pointed out as lacking duty of care. “Too much security” is the opposite end where users are frustrated and most probably seeking workarounds in favour of productivity. Information security is not just about technology-based controls, it’s also (if not mostly) about user awareness, culture, and behaviour. So – to answer the headline again: “No – it will not improve workplace security to kill most of it. Rather, the enterprise should have a process to continually seek feedback which can be used to improve the way security is implemented.”