Should Our Security Controls Be More Like North Korea or Norway?

When the drive for additional visibility and awareness is led by the business rather than just a SOC team, both the business and security can benefit.

If we reflect on the type of models that we tend to emulate when designing enterprise security controls, it may be shocking to discover that the best comparison is that of North Korea: tightly controlled regimes with constant monitoring; restricted information flows to prevent exfiltration of secrets; forced use of specific operating systems and images; and severe penalties for noncompliance, up to and including termination. Even buzzwords like zero trust seem to reflect the state of how people treat each other in North Korea. Is this the model of enterprise security that we really want? With such heavy-handed approaches, is it any wonder why security teams aren't often invited to the table?

Can we strive for something better? Instead of North Korea perhaps can we be like Norway, where people are free to interact and innovate to meet each other's needs and drive business growth. With each choice that we make in the design of our enterprise security controls, we can make our work environment feel more authoritarian or more free. We certainly need to be mindful of the trade-offs in relaxing our security posture, but some perceived trade-offs may actually be false dichotomies that artificially constrain our set of options for security controls.

For example, in the North Korea model, security puts sensors everywhere for the purposes of monitoring the citizenry. In the Norway model, sensors are placed for the benefit (or safety) of the citizens and security is a byproduct. In both cases, we still deploy sensors, but in the Norway model, the primary purpose of the sensor is for the sake of improving our lives.

Choose a People-Focused Approach
If we want a Norway model, security should not take the lead when it comes to activities that are the responsibility of the business or the owner of the asset. This would include gaining visibility or structural awareness of our assets and our environment. The asset owners should drive this, and security becomes a beneficiary. For example, a security-focused team can put security cameras at every street corner and face significant resistance from citizens. However, if the traffic cameras controlled signals to reduce travel delays, then there would be greater buy-in. Security can still be a beneficiary of the camera feeds, but the primary goal is to support faster movement. We will want to ensure that additional controls exist to prevent abuse of such monitoring (who watches the watchers?), but when the drive for additional visibility and awareness is led by the business, both the business and security benefit.

Many years ago, I ran a security-led experiment to see if employees would willingly volunteer to be closely monitored when there are clear benefits that they receive. I was considering the deployment of a user behavior-monitoring tool that was positioned as a way to counter insider threats (i.e., the North Korea model). If I gave people the opportunity to opt-in to the deployment of such software onto their endpoint, I imagine that I would have gotten very few takers. Instead, I positioned the tool as a way to understand how we might be able to identify and share best practices for our job functions (i.e., the Norway model). By monitoring our activities on the endpoint, we will find those actions that can help improve our performance based on what we observe from other high performers. Out of 100 people that we solicited, only four choose not to participate! With this approach, we had the buy-in to implement a tool that helped improve day-to-day productivity as the primary purpose, but we also had the secondary ability (with the proper oversight processes and controls) to counter insider threats if needed.

Success Requires Collaboration Across the Business
One of the key differences between the North Korea approach and the Norway approach is who leads these initiatives. For the experiment mentioned above, it could easily have been an initiative led by human resources (the "business," or asset owner) instead of security. After all, HR and most employees would fully support well-designed tools to improve employee performance. But when the initiative is security-led, suspicions arise and security teams will have difficulty getting the buy-in regardless of how noble their intentions may be.

Unfortunately, the business and asset owners sometimes don't care to lead initiatives that give them better visibility into their own environment. This is why security teams often get stuck with the job of improving asset inventories or trying to improve visibility. Even worse, security-led approaches can fail spectacularly when you encounter groups, such as developers, with significant influence or ability to avoid controls imposed by the security team.

Balancing strong security and high productivity for groups such as developers is nearly impossible with a North Korea model. That's why security teams should embrace developer-led or developer-friendly initiatives to increase visibility and observability. These efforts are primarily to drive developer productivity, and security becomes a beneficiary of the increased visibility that is offered through these business/owner-led initiatives.

As we accelerate our digital transformation, our employees will find more opportunities to innovate and create new business value. We want to have these environments be safe and secure, but if we lead purely with security in mind, then we should expect another dystopian future.