User-Centered Security Is a Fine A.R.T.
While every enterprise is different, there are three fundamental characteristics common to all successful modern enterprises. The successful modern enterprise is:
- Agile – able to navigate nimbly all types of internal and external change, expected and unexpected.
- Resilient – able to avoid threats, disasters, and disruptions and to recover rapidly and seamlessly from those that cannot be avoided.
- Trustworthy – able to credibly demonstrate and document operational transparency in ways that create and justify high levels of trust among all stakeholders.
It turns out there is also a single prerequisite for all three of the characteristics that make an enterprise “ART-ful.” That prerequisite is security. Specifically, user-centered security.
User-centered security is a focus on what users use to do their jobs—applications, information, devices, and network connections. Protect those things, and you can protect users from being victims of malware and other threats. Just as important, you can also protect users from being conduits into the enterprise for malware and other threats, all while keeping critical enterprise resources safe.
How to Achieve User-Centered Security
User-centered security is not only desirable, it’s achievable. The Australian Signals Directorate (analogous to the National Security Agency (NSA) in the United States) estimates that up to 85 percent of targeted attacks on IT environments are preventable by taking four simple steps:
- Application whitelisting
- Timely application patching
- Timely operating system patching
- Restricting administrative privileges to users who really need them
Unfortunately, such protections are like smarter eating and exercise habits. Most of us know what would be best for us to do, but we don’t always do it.
Take patching, for example. In an April 2015 alert, the US Computer Emergency Readiness Team (USCERT) identified the Top 30 Targeted High Risk Vulnerabilities. The newest dates from 2014, the oldest from 2006. That means there are patches designed to remediate all 30 vulnerabilities, but many enterprises have not yet installed those patches, for whatever reasons.
Agility, resilience, and trustworthiness are the pillars supporting the successful modern enterprise. User-centered security, beginning with timely, effective patching, is the foundation that supports those pillars and enables the enterprise to implement the practices, processes, and services that make agility, resilience, and trustworthiness possible.
To build that foundation, your enterprise must first automate, integrate, and optimize management of its IT security efforts, starting with patching. As these efforts make IT security more consistent and user-centered, that security can be expanded across all of the IT-empowered services that enable the business. Security and its effective management make up the bedrock that complements the foundation.
Of course, none of these strengths can be achieved or sustained by processes or technologies alone. As with almost everything else a successful enterprise does, effective security and ART-fulness are achieved and sustained by people. Specifically, you and your people in concert with colleagues from across your enterprise. Evolution into a secure and ART-ful enterprise requires leaders, evangelists, champions, and supporters to implement and manage the user-centered security policies, processes, technologies, and services that make ART—agility, resilience, and trustworthiness— possible.