Gartner Says Organisations Must Prepare for the Security Implications of the Digital Workplace

Analysts to Focus on Top Security Trends at Gartner's 2014 Security and Risk Management Summits, 23-26 June in National Harbor, MD, 25-26 August in Sydney, 8-9 September in London and 15-16 September in Dubai

(PresseBox) ( Stamford, Conn., )
Increasing adoption of a more mobile, social, data-driven and consumer-like workplace is causing the breakdown of traditional security models and strategies, according to Gartner, Inc. Gartner predicts that by 2018, 25 per cent of large organisations will have an explicit strategy to make their corporate computing environments similar to a consumer computing experience. Security organisations and leaders that fail to alter strategies to accommodate a more consumerised workforce will be sidelined by engaged organisations.

"Significant changes that impact an organisation's approach to security are underway," said Tom Scholtz, vice president and Gartner Fellow. "Employee digital literacy has led to a growing consumerisation movement within most organisations, with employees using a wide variety of consumer-oriented apps for business purposes. Other workplace trends - such as out-tasking, globalisation, networked reporting structures, shadow IT and a desire to foster employee engagement - are all impacting IT strategies. As organisations shift toward a more digital workplace, long-held approaches to security need to be re-examined."

"Implementation of a digital workplace exacerbates the IT department's loss of control over endpoint devices, servers, the network and applications," said Mr Scholtz. "In a fully consumerised workplace, the information layer becomes the primary infrastructure focal point for security control. This reality necessitates a shift toward a more information-focused security strategy."

The sheer volume of devices and access vectors implied by a digital workplace, coupled with the increase in sophisticated, dynamic attack methods and insider threats, makes the traditional approach of focusing on preventive controls (such as signature-based anti-malware, network and host intrusion prevention systems, pervasive encryption and continuous patching) increasingly ineffective. While the value of and need for preventive controls will never go away, the digital workplace reinforces the need to focus more on detective and reactive controls. In practice, this means increasing investments in context-aware security monitoring for internal and external environments, threat intelligence assessment capabilities and incident response. Pervasive, context-based monitoring and security information analytics will form the core of next-generation security architectures.

Strategies such as the digital workplace implicitly recognise that users will be given more freedom in how they use technology and information. This implies a higher level of trust that users will exhibit appropriate behaviour in dealing with an organisations' information resources. Key elements of a behaviour-focused security communication strategy include considering "just in time" security awareness techniques, which remediate or reward user behaviour based on the appropriateness of that behaviour within the user's context.

"Effective behaviour management is not produced by the mere deployment of an education program," said Mr Scholtz. "In addition to an education program that is focused on measurable behavioural outcomes, security leaders should develop their ability to collaborate with personnel and line-of-business managers to modify job descriptions and reward mechanisms so that they are aligned with desired security performance."

Gartner believes that trusting the motives and behaviour of individual users is a key enabler for the digital workplace. Conventional approaches to information security tend to treat everyone, including employees, with distrust. By implication, such an attitude will impede the digital workplace. However, a more people-centric approach to security will contribute to the potential success of the initiative. People-centric security (PCS) is a strategic approach to information security that emphasises individual accountability and trust, and that de-emphasises restrictive, preventive security controls.

PCS is based on a set of key principles, and on the rights and related responsibilities of individuals. The premise of PCS is that employees have certain rights - but these are linked to specific responsibilities. These rights and responsibilities are based on an understanding that, if an individual does not fulfil his or her responsibilities, or does not behave in a manner that respects the rights of colleagues and the stakeholders of the organisation, then the individual will be subject to sanction. While a wholesale PCS strategy is certainly inadvisable for many organisations, it is certainly a viable concept that should be considered as part of the digital workplace.

"The digital workplace implies new and different security risks," said Mr Scholtz. "Hence, it is imperative for the impact of the digital workplace to be properly risk-assessed. Owners of information assets involved in the initiative must be informed of the risks, and the security team must help them assess the potential impact of the risks against the expected business benefits of the digital workplace. Also, the affected information owners must sign off on any additional risk that they are willing to accept in the interest of the digital workplace."

More detailed analysis is available in the report "Prepare for the Security Implications of the Digital Workplace." The report is available on Gartner's website at http://www.gartner.com/doc/2720217.

This research is part of the Gartner special report "The Nexus of Forces: Social, Mobile, Cloud and Information." The report is available on Gartner's website at http://www.gartner.com/technology/research/nexus-of-forces/. It includes links to reports, webinars and video commentary that examine the impact of the Nexus of Forces on enterprises.

About Gartner Security & Risk Management Summit

Gartner analysts will take a deeper look at the outlook for security solutions at the Gartner Security & Risk Management Summits taking place 23-26 June in National Harbor, Maryland, 25-26 August in Sydney, Australia, 8-9 September in London, UK and 15-16 September in Dubai, UAE. More information on the US event can be found at www.gartner.com/us/securityrisk. Details on the Australia event are at http://www.gartner.com/technology/summits/apac/security/. More information on the UK event is at http://www.gartner.com/technology/summits/emea/security/. Details on the Dubai Summit are at http://www.gartner.com/technology/summits/emea/security-dubai/.

Members of the media can register for press passes to the Summits by contacting christy.pettey@gartner.com (US), susan.moore@gartner.com (Sydney), laurence.goasduff@gartner.com (London) or sony.shetty@gartner.com (Dubai).

Information from the Gartner Security & Risk Management Summits 2014 will be shared on Twitter at http://twitter.com/Gartner_inc using #GartnerSEC.
Für die oben stehenden Pressemitteilungen, das angezeigte Event bzw. das Stellenangebot sowie für das angezeigte Bild- und Tonmaterial ist allein der jeweils angegebene Herausgeber (siehe Firmeninfo bei Klick auf Bild/Meldungstitel oder Firmeninfo rechte Spalte) verantwortlich. Dieser ist in der Regel auch Urheber der Pressetexte sowie der angehängten Bild-, Ton- und Informationsmaterialien.
Die Nutzung von hier veröffentlichten Informationen zur Eigeninformation und redaktionellen Weiterverarbeitung ist in der Regel kostenfrei. Bitte klären Sie vor einer Weiterverwendung urheberrechtliche Fragen mit dem angegebenen Herausgeber. Bei Veröffentlichung senden Sie bitte ein Belegexemplar an service@pressebox.de.