Should Our Security Controls Be More Like North Korea or Norway?

When the drive for additional visibility and awareness is led by the business rather than just a SOC team, both the business and security can benefit.

Sounil Yu, CISO and Head of Research, JupiterOne

November 11, 2021

4 Min Read
Source: Ton Snoei via Alamy Stock Photo

If we reflect on the type of models that we tend to emulate when designing enterprise security controls, it may be shocking to discover that the best comparison is that of North Korea: tightly controlled regimes with constant monitoring; restricted information flows to prevent exfiltration of secrets; forced use of specific operating systems and images; and severe penalties for noncompliance, up to and including termination. Even buzzwords like zero trust seem to reflect the state of how people treat each other in North Korea. Is this the model of enterprise security that we really want? With such heavy-handed approaches, is it any wonder why security teams aren't often invited to the table?

Can we strive for something better? Instead of North Korea perhaps can we be like Norway, where people are free to interact and innovate to meet each other's needs and drive business growth. With each choice that we make in the design of our enterprise security controls, we can make our work environment feel more authoritarian or more free. We certainly need to be mindful of the trade-offs in relaxing our security posture, but some perceived trade-offs may actually be false dichotomies that artificially constrain our set of options for security controls.

For example, in the North Korea model, security puts sensors everywhere for the purposes of monitoring the citizenry. In the Norway model, sensors are placed for the benefit (or safety) of the citizens and security is a byproduct. In both cases, we still deploy sensors, but in the Norway model, the primary purpose of the sensor is for the sake of improving our lives.

Choose a People-Focused Approach
If we want a Norway model, security should not take the lead when it comes to activities that are the responsibility of the business or the owner of the asset. This would include gaining visibility or structural awareness of our assets and our environment. The asset owners should drive this, and security becomes a beneficiary. For example, a security-focused team can put security cameras at every street corner and face significant resistance from citizens. However, if the traffic cameras controlled signals to reduce travel delays, then there would be greater buy-in. Security can still be a beneficiary of the camera feeds, but the primary goal is to support faster movement. We will want to ensure that additional controls exist to prevent abuse of such monitoring (who watches the watchers?), but when the drive for additional visibility and awareness is led by the business, both the business and security benefit.

Many years ago, I ran a security-led experiment to see if employees would willingly volunteer to be closely monitored when there are clear benefits that they receive. I was considering the deployment of a user behavior-monitoring tool that was positioned as a way to counter insider threats (i.e., the North Korea model). If I gave people the opportunity to opt-in to the deployment of such software onto their endpoint, I imagine that I would have gotten very few takers. Instead, I positioned the tool as a way to understand how we might be able to identify and share best practices for our job functions (i.e., the Norway model). By monitoring our activities on the endpoint, we will find those actions that can help improve our performance based on what we observe from other high performers. Out of 100 people that we solicited, only four choose not to participate! With this approach, we had the buy-in to implement a tool that helped improve day-to-day productivity as the primary purpose, but we also had the secondary ability (with the proper oversight processes and controls) to counter insider threats if needed.

Success Requires Collaboration Across the Business
One of the key differences between the North Korea approach and the Norway approach is who leads these initiatives. For the experiment mentioned above, it could easily have been an initiative led by human resources (the "business," or asset owner) instead of security. After all, HR and most employees would fully support well-designed tools to improve employee performance. But when the initiative is security-led, suspicions arise and security teams will have difficulty getting the buy-in regardless of how noble their intentions may be.

Unfortunately, the business and asset owners sometimes don't care to lead initiatives that give them better visibility into their own environment. This is why security teams often get stuck with the job of improving asset inventories or trying to improve visibility. Even worse, security-led approaches can fail spectacularly when you encounter groups, such as developers, with significant influence or ability to avoid controls imposed by the security team.

Balancing strong security and high productivity for groups such as developers is nearly impossible with a North Korea model. That's why security teams should embrace developer-led or developer-friendly initiatives to increase visibility and observability. These efforts are primarily to drive developer productivity, and security becomes a beneficiary of the increased visibility that is offered through these business/owner-led initiatives.

As we accelerate our digital transformation, our employees will find more opportunities to innovate and create new business value. We want to have these environments be safe and secure, but if we lead purely with security in mind, then we should expect another dystopian future.

About the Author(s)

Sounil Yu

CISO and Head of Research, JupiterOne

Sounil Yu is the current CISO and head of research at JupiterOne, a cyber asset management platform. He was the former CISO-in-Residence for YL Ventures, where he worked closely with aspiring entrepreneurs to validate their startup ideas and develop approaches for hard problems in cybersecurity. Prior to that, Yu served at Bank of America as their Chief Security Scientist and at Booz Allen Hamilton where he helped improve security at several Fortune 100 companies and government agencies. He is the creator of the Cyber Defense Matrix and the D.I.E. Triad, which are helping to reshape how the industry thinks about and approaches cybersecurity. He serves on the Board of the FAIR Institute and SCVX; co-chairs Art into Science: A Conference on Defense; volunteers for Project N95; contributes as a visiting National Security Institute fellow at GMU's Scalia Law School; and advises many security startups.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights