John Fontana writes about a new idea called People Centric Security. The idea is to loosen enterprise security policies so that security decisions are made by those directly responsible for business area rather than a central security team.
To paraphrase the immortal words of Pogo: We have met the security team and they is us!
For better or worse I think this actually reflects the current state rather than some new idea. For all the work security teams do, users just work around them to do what they need to do.
Who many times have you heard these conversations:
- The mail server blocked your attachment. Can you send it to my gmail account?
- I can’t reach your website. Let me disconnect from the VPN and try again.
- Our machines disallow USB storage devices, but I can upload the files to DropBox.
Your company’s security already depends on your users. They are just pretending it doesn’t.