One-quarter of large organizations will have an explicit strategy to make their corporate computing environments similar to a consumer computing experience, and security organizations and leaders that fail to alter strategies to accommodate a more consumerized workforce will be sidelined by engaged organizations, according to a report from IT research firm Gartner.
The report outlines key elements of a behavior-focused security communication strategy, which include considering “just-in-time” security awareness techniques, which remediate or reward user behavior based on the appropriateness of that behavior within the user’s context.
“Effective behavior management is not produced by the mere deployment of an education program,” Tom Scholtz, vice president and Gartner Fellow, said in a statement. “In addition to an education program that is focused on measurable behavioral outcomes, security leaders should develop their ability to collaborate with personnel and line-of-business managers to modify job descriptions and reward mechanisms so that they are aligned with desired security performance.”
In addition, strategies such as the digital workplace implicitly recognize that users will be given more freedom in how they use technology and information–implying a higher level of trust that users will exhibit appropriate behavior in dealing with enterprises’ information resources.
“Significant changes that impact an organization’s approach to security are underway,” Scholtz said. “Employee digital literacy has led to a growing consumerization movement within most enterprises, with employees using a wide variety of consumer-oriented apps for business purposes. Other workplace trends — such as out-tasking, globalization, networked reporting structures, shadow IT and a desire to foster employee engagement — are all impacting IT strategies. As organizations shift toward a more digital workplace, long-held approaches to security need to be re-examined.”
What Gartner calls people-centric security (PCS), the premise of which is that employees have certain rights, is based on a set of key principles tied to the rights and related responsibilities of individuals.
These rights and responsibilities are based on an understanding that, if an individual does not fulfill his or her responsibilities, or does not behave in a manner that respects the rights of colleagues and the stakeholders of the enterprise, then the individual will be subject to sanction.
“Implementation of a digital workplace exacerbates the IT department’s loss of control over endpoint devices, servers, the network and applications,” Scholtz noted. “In a fully consumerized workplace, the information layer becomes the primary infrastructure focal point for security control. This reality necessitates a shift toward a more information-focused security strategy.”