The Key to Security is Subtlety

Most people also share a degree of stubbornness. People are happy to do things your way if they see the benefit, but anything that's perceived as getting in the way is quickly worked around. When you try and force something, they will dig in their feet on sheer principle. It's amazing how hard people will work around things that they view as unnecessary change.

For organizations rolling out new systems, this is a problem.

People just want to do their jobs and new systems with improved security and control are seen as getting in their way. They understand the organizational need for security and control of information, but they don’t think it should make things any harder. Pleas to enforce policies by IT may fall on deaf ears when revenue goals are being met or deadlines are looming.

This fight needs to stop. People are not going to change. No amount of training or change management "best practices" are going to make people use systems that get in the way of hitting their targets. We need to rethink how we design and implement these policies so that they are subtle and don’t get in the way of an organization's real mission.

Rethinking Our Approaches to Policies

There are two default approaches that many organizations take when designing policies. The first is that information is "need-to-know." When securing information, people always ask who needs access. The goal is to grant as little access as possible.

That is the wrong approach. Exceptions happen all the time. Adjusting security is rarely simple, even if people have the ability to make the change. Their answer? Take the information out of the system and share with those who need access. This abrupt transition from too much security to no security is detrimental to the organization. It still happens because people have no other options.
The question to ask is, “Who should not see this information.”

The second default approach is keeping information only until it can be legally removed. When people learn that their content is going to be deleted, the first thing they do is make backup copies of everything outside of the system. The logic is that they don’t have time to determine what they will need later, so they keep everything. As a result, the act of removing old information leads to a proliferation of information in locations that are not secure or controlled.

Instead of forcing people to justify keeping information, justifications should be made for deleting information. Controls should shift from keeping information for a period of time before deletion to keeping information for a period of time before allowing the business to delete information if they desire.

Make it Work

How do we make this change? People still don’t like security or control. This is where we apply change management to all the change management that has gone on before. People need to be informed that the organization is going to relax and streamline controls. They have to trust that nothing will be deleted without their explicit permission and that they can readily share content with anyone that needs it.

This simple reeducation can have profound effects in how people interact with systems. It doesn't stop there. Systems have to adapt to the changing world. Systems have been designed to limit people. They need to be updated to allow control to be shifted from the organization to the people.

Sharing functions in systems need to send a link to the content to the necessary people and have it automatically grant those people access. The act of sharing content with someone is an acknowledgement that you trust that person enough to send them the information. The system needs to understand that logic and respond in kind.

That is just one example. Systems need to translate actions into intent and act accordingly. Systems should allow people to work in a way that is natural to them while maintaining security and control.

Open Up or Give Up

Many will say that this shift will put more information at risk. That belief is overlooking several realities that are not going to change anytime soon.

  • When people pull information out of a system, there is no security or control
  • Any system can be hacked by those who want into the system
  • Most security breaches are accidental
  • People will always find a way to work around the system

The default approaches to security and control need to be revised. Those approaches need to be subtle and provide enough controls to protect information without encouraging information to be pulled out.

We need to provide the illusion of freedom so people accept an organization’s control.

Title image by duremi (Flickr) via a CC BY-SA 2.0 license