Week 9 Discussion – People, Process, Technology
This is the writing prompt: “Discuss how you would prioritize each element of “People, Process, Technology” to improve a security program, based on the discussion above. Some things to get you started: Would you buy new technologies or improve existing systems first? Would you train people? Establish new processes? Use existing audits to determine the above items? Provide some added detail based on your research.”
This is a form post so it doesn’t need to be really formal but should include at least one citation in APA format.
Below is the full topic descriiption:
In 1999, security professional Bruce Schneier popularized (but contrary to popular belief did not invent) the concept of “People, Process, Technology.” Like the CIA (aka AIC) triad, the PPT triad is a critical concept in information security (and technology management in general). There is also another illustration related to these, known as the McCumber Cube related to “information assurance”. These can be seen in the following two links:
The idea is that all three aspects or each of the three areas considered in cybersecurity all inter-relate and can be important or emphasized. Also, they are closely linked, so that even if one has the best firewalls, IDSs, virus scanners, proxy servers, etc. (technology) in the world – if they don’t use them properly or at all (process) – or if they don’t have the right team or training (people) – it wouldn’t matter.
A common issue today is that a businesses may take a “check the box” approach to security where they invest in specific technology to meet compliance obligations only, without having the right people or processes in place to take advantage of the technology and truly secure the system.
As a result, costly high-end IDS devices are installed but don’t send the proper alerts to anyone and aren’t tuned to eliminate false positives. Technology will help little if just using it out-of-the box. The reality is tools require trained people, cohesion and the right processes. A technology, after all, is only as good as it is used, configured, tuned, kept up to date.
This is why organizations should first start with the basics – to ensure they are using the tools they already have in the best manner possible. For example, are the technologies in use (Antivirus, DLP, Firewalls, IDS, IPS, EDR) already in the environment as follows:
Installed where they should be?
Configured properly for alerting, blocking, strong security?
Have been tested to verify and validate the above are effective?
Even passwords should be examined in this light, as well as inherent security settings for: operating systems, appliances, browsers, applications and existing tools and devices. All of this should happen before new technology decisions are made.
Maximize use of existing technologies first, determine gaps in visibility and protection, then obtain technologies that will help fill the gaps. This might be called a “foundational cybersecurity” approach where one first establishes a baseline with existing tools as the first foundational step. Why could this be an effective first step? Because new tools are expensive and require more resources. Also, existing tools may not be used effectively and the new tool could be unnecessary. Consider this:
What if half of one’s infections occur through the browser?
What if weak browser settings were used, and stronger settings would prevent most infections?
One could eliminate half of their issues just by that step alone, without having to employ new technologies
What if half of devices don’t have Antivirus or EDR or DLP installed or it is not in “block” mode?
Correcting these issues may also help improve security
What if firewalls or IDS/IPS are only in monitor mode, but are not in block mode, if they have the capability?
Since most of these tools typically exist in companies today, it would be best to first ensure they are working as they should, where they should. This is simpler and less disruptive and less resource intensive than employing, integrating and learning a new technology.
Discuss how you would prioritize each element of “People, Process, Technology” to improve a security program, based on the discussion above. Some things to get you started: Would you buy new technologies or improve existing systems first? Would you train people? Establish new processes? Use existing audits to determine the above items? Provide some added detail based on your research.