Sooner than you think: reporting from the Bloomberg conference in Paris
Last week I was fortunate enough to have the chance to participate in the Bloomberg Sooner Than You Think conference in Paris. I spoke on the Innovation stage on rebuilding trust in an environment of widespread data abuse.
It seems today that breaches are everywhere you look and the monetization in one way or another of data has become commonplace: you are the product, even when the service is not free! Data abuse has become a harsh reality for many, with people’s identities and personal information simply being another product available for trade, sale or unauthorized secondary use.
In this environment where trust is through the floor, how can security professionals and leaders rebuild safer workplaces that enable business outcomes and not add more friction? Here at Forcepoint we suggest a switch from what is commonly called a “threat-centric” world to a behaviour analytics one, focusing on a people’s interaction with data.
For example, “zero-trust” is a great concept in today’s flat, open and hyperconnected world, but it does introduce business friction. We believe that by using employees as the first and the last line of defense, they can become part of the cyber security “stack”. When we are able to monitor their use of data we can raise alerts and automatically enforce more stringent user-specific policies only when that behaviour changes from the norm. Thanks to this new approach we cut business friction and increase the chances of finding and stopping a data breach – before it happens.
With GPDR coming into force, privacy is top of mind for everyone, but I find it interesting how privacy is perceived in private life versus in the workplace. The idea of monitoring behaviour is still perceived as intrusive, despite the heavy regulations and frameworks in place to protect people’s identity and privacy.
When our customers introduce workforce monitoring, it’s not about what’s legal or what’s good: it’s about what’s best. We advise working in partnership with legal, HR teams, workers’ councils and internal communications teams to ensure the goals of monitoring are made absolutely transparent, that pseudonymization, controls and safeguards are built into monitoring, and that security becomes a positive experience.
In fact, by educating and protecting people and their identities at work, we also help increase their security posture in their private lives. Just think about all the GDPR-related notifications you’ve received as of late. Did you read the fine print? In our private lives we get virtually no advice before clicking “OK” while in the enterprise many professional teams will have reviewed and agreed policies before they are rolled out to the workforce.
The bottom line is that as security professionals and business leaders, we need to protect our companies, people and assets. We have a fiduciary responsibility to protect our businesses. Finding the balance between high data security, serious consideration of people’s privacy and keeping a business working smoothly is difficult. However, if we shift our focus and take a risk-adaptive approach, weaving in contextual intelligence on security incidents and only flagging those incidents which pose a real risk to our data, people, or business, I do believe that security can become a business enabler.