Blog post

Simple People Centric Security Actually Works at Large Midwest Energy firm

By Avivah Litan | December 07, 2016 | 2 Comments

I just returned from a Gartner peer-connect event where some 65 CISOs shared experiences, concerns and visions for a more secure future.

There were many substantive discussions but one that stood out was a case study presented by a CISO from a large Midwest energy firm who implemented some simple people-centric and whitelisting security steps that reduced his incidents by almost 80%.

People are the main attack vector, and by tightening up their vulnerability to spear-phishing, exploits, and other attacks, the company would be much more secure.  Major program steps included; establishing a ‘fun’ teambuilding security awareness program, standardizing on a Chrome browser, creating an Internet café at work where staff can engage in personal browsing in a secure network segment, and a white list of applications and allowable website traffic which was developed over time.

Here are the specific steps the firm took:

In 2014

  • Governance: Established a cross-functional group of business leaders that met regularly, focused on security education and then began to deploy tools
  • Early Roll out: Discovered that in 2014, of the 400 plus security incidents at the firm, almost 90% were triggered by employees’ personal use of the Internet.
  • In 2014, the CISO took these straightforward measures:
    • Standardized on a Chrome browser, and eliminated use of legacy IE required by enterprise applications.
    • Deployed application whitelisting to eliminate application sprawl and coached employees to approve business required applications
    • Implemented a security awareness program that was ‘fun’ to partake in.
  • Program Results – in 2015 the firm had more than a 60% reduction in security incidents at a time when attempted attacks were increasing.

In 2015

  • Internet Café for personal browsing: the firm set up a Internet café on a separate network segment where employees could engage in personal browsing from their own personal devices. Personal browsing from other corporate network segments on corporate devices was ‘softly’ discouraged and disallowed
  • Internet Whitelisting: all corporate traffic was proxied through a whitelist. A process was set up to expand the whitelist based on information security review of business justification – the whitelist grew quickly from about a thousand sites to about 12,000 but then began leveling off 6 months after it was introduced.
  • Program Results: In 2016, security incidents at the firm dropped about 40%

Overall Results

By implementing these straightforward people-centric security measures, the firm dropped their security incidents from over 400 in 2014 to just under 100 in 2016, representing about an 80% reduction in events.


We spend so much time chasing the latest technology and promising new shiny solutions, while neglecting our most vulnerable attack vector – people.

This energy firm proved that by implementing people-centric security and whitelisting, the attack surface is dramatically reduced.  And now, the firm can concentrate on the smaller population of leftover security events – by applying more people-centric measures and a good mix of layered security technologies.   I think we should all follow this sound approach.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • This is right on Avivah! It is always helpful to engage people in this and all processes. Technology alone won’t cut it.

  • Ken Mages says:

    W3C is doing some interesting stuff.