I am going to ask that for this short post that you take a leap of faith with me \u2013 imagine a world of \u201ctrust-based security\u201d practices.\nPractices that don\u2019t restrict or limit employees, but rather empower each individual to make the best choices on behalf of their organization when it comes to security. This means\u00a0switching the focus from preventing security breaches to educating employees and empowering them\u00a0to be your strongest information security agent.\nI know the first time I heard this push, I was skeptical. I was at the\u00a0Gartner\u2019s IAM Summit 2014\u00a0when I first heard an analyst stand up and turn traditional security thinking on its head. Since then I have read\u00a0more articles\u00a0on the subject and even spoken to IT leaders. This idea is less futuristic and starting to take shape today.\nThis leads me to the final truth in my\u00a0Five Important Truths about Digital Workspaces in a Dangerous World\u00a0blog series \u2013Truth #5\u00a0Embrace Employee and Business Unit Empowerment.\nShared Responsibility Breeds Positive Results\nWhen I first heard about trust-based security, it was related to the success of\u00a0Hans Monderman\u00a0who designed an approach on \u201cshared spaces\u201d. His theory is that in congested city streets there are too many traffic controls. As a result, people stop thinking and just react, or worse, ignore the safety protocols put in place to prevent accidents.\nHe recommended removing all road signs and simply ask people to behave safely keeping an eye out for pedestrians, bicyclists, pedestrians, etc. His idea has changed the thinking behind urban transportation planning and has shown success globally.\u00a0When empowered to make choices, people thought more about their actions and reacted appropriately resulting in reduced risk and a controlled flow.\nPrinciples of People-Centric Security\nWhile security in your organizations isn\u2019t quite the same as traffic flow, there are many of the same principles at play. Gartner identified them at their IAM Summit but also share them in their report \u201cConsider a People-Centric Security Strategy\u201d.\n\n\n\n\nAccountability\n\n\nTransition power from IT to the business and workforce to determine who has access to what applications and services. It is making the content creator also the one responsible for securely sharing the content.\n\n\n\n\nResponsibility\n\n\nMake everyone an auditor and hold them accountable for their actions and decisions.\n\n\n\n\nImmediacy\n\n\nIf someone breaks a security code of conduct immediately react and assign any punitive outcomes swiftly.\n\n\n\n\nAutonomy\n\n\nGive employees autonomy and inform them with that comes the power to make choices on how and where they will use and access information. It must be understood that with this power consequences follow.\n\n\n\n\nCommunity\n\n\nPeople tend not to make decisions independently and it is culture that breeds more group thinking and decision making. It is critical that leadership establishes this culture of trust in words and action.\n\n\n\n\nProportionality\n\n\nControls must be proportionate to the risk. IT needs to establish the right balance between monitoring or responsive controls vs preventative controls.\n\n\n\n\nTransparency\n\n\nExpectations must be communicated and any punitive outcomes well understood. Any punitive action will breed scrutiny so you want to be open about the process and outcomes.\n\n\n\n\nThese principles are all about placing employees at the heart of security instead of creating a force field that restricts employee movement. It is often the\u00a0restrictions that are put in place that open up security vulnerabilities as your employees seek a work-around.\nGetting Started with Employee Empowered Security Practices\nTrust-based security practices may feel like a leap of faith and loss of control. However, there are some starting points you can take without fully jumping in at once:\n\nEmpower Employees with Self-Service\u00a0\u2013 When users can quickly access services and applications from a whitelist of resources they are less likely to use unauthorized ones; eliminating the need for\u00a0Shadow IT.\nEnable Automatic Approval and Delivery\u00a0\u2013 By automating authorization and provisioning policies, business will systematize the delivery of IT services and applications, keeping access secure, consistent and reportable.\nReallocate IT Resources to More Proactive Security Initiatives\u00a0\u2013Self-service and automation also is free up IT resources to work on more strategic projects. Some of these strategic projects can be around more proactive security measures.\n\nI challenge you to think of your current security practices and identify where a\u00a0loosening of control could empower your workforce and ultimately lead to greater business agility and even less risk.\nFor those who have followed my blog series, thank you. I hope you gathered a few insights along the way! As always, you can get the entire five truths by downloading\u00a0the whitepaper here.