Security is often used as the greatest argument against increasing openness and transparency because it might lead to sensitive information might end up in the wrong hands. But is it a viable argument, or is just that our existing solutions are insufficient?
Security as a Middle Age castle
The approach many organization take towards information security is similar to the defense strategies use for Middle Age castles (and almost as outdated too). A Middle Age castle typically had high curtain walls, a surrounding moat and a drawbridge that are to keep unwanted visitors from entering the castle. If anyone would need to leave the castle, they would have to pass through a castle gate where guards could make sure they wouldn’t bring something from the castle. The people inside the castle were safe as long as the outer defenses held, but if someone managed to break through the outer defenses, the inhabitants of the castle were very vulnerable to an attack - except for the family of the lord of the castle and his valuables who could seek protection in the central tower or keep.
This is how many organizations have chosen to protect their information, building high curtain walls that make it hard for anyone from the outside to access and steal information, but also for people to bring any information with them to the outside. To do that, they need to pass through the tollgates and ask the gatekeepers for permission to leave the castle. There are also internal curtain walls between different organizational silos, making it hard to exchange information between those silos.
Security is about enabling value creation
"…the security department must become adept at identifying the real threats to ensure that security becomes an enabler for business innovation, rather than an inhibitor. Security should be seen as a tool that can be used to accept risks so that the business can take advantage of market opportunities it was never able to before."
Eric Ouellet, VP Research, Gartner
As humans are risk averse we underestimate the benefits of open systems, focusing on the risk and neglect the value that can be created on the other end of the scale. Realizing this, organizations need to look at security as a tool to take opportunities while minimizing risk. Many organizations have forgotten the most important part - to make it as easy as possible for people to do their jobs in a secure way. At the end of the day, that is what most people want to do. They want get their jobs done as good as possible. This usually implies fast and with good quality. Sometimes their work will require them to exchange information with people in other organizational silos. Sometimes it will require them to bring information outside the castle, because they need to work somewhere else or share it with some trusted party that doesn’t come from the same castle. When they do, the great number of gates and gatekeepers that are there to protect their information from falling into the wrong hands hinder them to do their jobs. Sometimes the only pragmatic way to work seems to buy a ladder so they can climb the curtail walls. There is always a tradeoff between security and usability, and system that is entirely secure is also entirely useless. When the usability of a system is bad, people will find workarounds.
Security is "a people problem"
Organizations often put all their trust into the systems they have designed to secure their information. But let’s not forget that security is ultimately “a people problem”. Hence safeguards and education can avoid inadvertent information leaks. People need to be educated in how to deal with sensitive information and there must policies and guidelines in place that are usable, that people actually can follow and get their jobs done at the same time. We must all become better at judging which information could be shared and which should not. Systems that restrict or even prevent us from sharing make us act without thinking. Many people have become used to these rigid systems and when they sometimes use more freeform tools, they might use the freeform tools to share information without thinking – because they’re used to not thinking. With email, that happens every day already. Even though there are more complex security and privacy concerns related to email than to most social software, hardly anyone ever questions the value of email today.
Balancing transparency and security
If everything is becoming open and transparent one might ask how one gains competitive advantages in markets that are classically based on information asymmetry. The answer to that is that twofold. First of all, everything won’t become transparent. The level of transparency can, and should, be much greater within an organization than towards the outside. Only a fraction of the information that is created and used inside organizations are relevant to the outside world. Secondly, in this increasingly interconnected and digital world, we are deceiving ourselves if we think that having unique access to certain pieces of information is what will create competitive advantages. Talented people who are able to find relevant information and turn it into actionable knowledge and create value together create real comparative advantage. The challenge is to find, attract and retain these people and create an environment where this talent can be used to its full extent. Enabling high levels of openness, transparency, participation, conversation, and recognition is a prerequisite for success in such an environment.