A recent opinion piece in Computerworld by Ira Winkler asks, “What prevents breaches: process, technology or people? One answer is PC, and one is right.” Most people — and most security experts — when asked the most important element in cyber security will say “people.” Winkler says it’s not people, it’s process: “Before you can focus on the people in a security program, you must be able to define exactly how you want the people to behave.”
Most user awareness training, according to Winkler, is in 2-3 minute programs developed by vendors. “Training acquired from vendors might cover random best practices,” he says, “but those best practices might not be applicable to your organization and the threats you face.”
He makes a good point, but I think he’s arguing against a straw man. While it’s true that you need to have standards, policies, guidelines, and procedures as a foundation for good security practice, that doesn’t that process is more important than people and technology. Asking “What prevents breaches: process, technology or people?” is like asking “What keeps human beings alive: air, water, or food?” Your need for any of those three things might be more urgent than your need for the others at any particular moment, but ultimately, you can’t survive without all three. Here’s my take on the process-technology-people security triad.
1. Process. Your cyber security process should not be so detailed that it’s difficult to understand or follow, nor so vague that it’s not useful. You need to observe industry best practices, regulatory compliance, privacy concerns, and your business’s potential legal liability. The exact combination is likely unique to your business, which is why your process must be tailored to your business. If you haven’t yet thought through your process, there are about a million templates on the web you can download to help you.
2. Technology. Adopt the best hardware and software solutions you can afford, then keep them up to date. What’s best will depend on incumbent hardware, operating systems, and applications, as well as the business you’re in and the support available. And be sure to train some of your IT staff to recognize intrusions, identify the latest security threats, respond to them, and stay ahead of new attacks, which emerge daily. For IT staff training, I recommend the Logical Operations program Cybersec First Responder, a vendor-neutral cybersecurity certification program.
3. People. You need to train everyone in the organization to practice safe computing. They need to learn to browse the web safely, use email securely, use social networking securely, and use cloud services securely. Once they understand the issues and how to exercise basic hygiene, they can begin thinking of ways to protect your customers – and their own jobs. For this type of preparation, I recommend the Logical Operations program CyberSAFE. If you have any concerns about your organization’s vulnerability, the Logical Operations CyberSAFE Readiness Test can help determine your particular users’ level of sophistication and vulnerability to attack. You can access the test at no charge. Contact us at +1.800.889.8350.