We have met the security team and they is us!

John Fontana writes about a new idea called People Centric Security. The idea is to loosen enterprise security policies so that security decisions are made by those directly responsible for business area rather than a central security team.

To paraphrase the immortal words of Pogo: We have met the security team and they is us!

For better or worse I think this actually reflects the current state rather than some new idea. For all the work security teams do, users just work around them to do what they need to do.

Who many times have you heard these conversations:

  • The mail server blocked your attachment. Can you send it to my gmail account?
  • I can’t reach your website. Let me disconnect from the VPN and try again.
  • Our machines disallow USB storage devices, but I can upload the files to DropBox.

Your company’s security already depends on your users. They are just pretending it doesn’t.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s