AKA yes men are everyone’s friend
Security doesn’t have to be the historical world of saying “no” all the time and can actually become a business-enabler to empower people and achieve business obejctives. A lot easier said than done you might reply … and you would be right. But it is possible.
Let’s look at the traditional approach to security. Assume we have a normally on-prem employee that needs to work remotely on a critical project. Since the employee has always worked in the office before, there has been no mechanism set up to grant secure remote access. You have two options, have the employee attempt remote access and deny it because it is “outside of policy” or work with IT to set up remote access for this employee, which may require entirely new provisioning actions, the installation of a VPN client on the employees computer, a slew of approvals, and more time to complete the task than either IT or the employee have.
So we have the case of a whole bunch of people saying “no” for all the right reasons. Or a whole bunch of people jumping through all kinds of hoops so they can say “yes” but only if you do all kinds of out-of-band contortions first.
Employees have quit over less.
But what if there was a way to make “yes” the default answer without requiring all the special effort? Then the employee would get to what they need, when they need it, in the way they want without sacrificing security; and IT would be able to focus on the important things rather than mundane and unecessary user access issues and exceptions.
This can be done through a concept called context-aware, or adaptive, or risk-based security. Basically it’s assigning scores to various contextual factors that can help determine the risk of an access request and then ramping up or pulling back on security enforcement depending on the risk score returned.
With this approach security becomes the practice of saying “yes” and no longer “yes …. but…” or a categorical “no”.
In this case a “yes man” is a good thing!