For a long time our industry has been saying that addressing people, process, and technology will solve some of the hardest problems in cybersecurity. The terms people, process, and technology fundamentally suggest the destination and solution is known and the triad is the path to get to the solution. The issue we all experience is that most folks don't know the destination and solution, so to offer people, process, and technology only offers a path not a solution.
While security has been around for a while it is still a very young industry and it’s only been a true discipline for 5-10 years. We’re still figuring things out. As I tell everyone, learning as you go is a-okay. We reserve the right to get smarter as we go. As facts change so should your opinion.
For a very long time security folks have touted that addressing and figuring out the answer to people, process, and technology will solve the answer to some of the hardest security questions. I think for a short time this was probably true. For that short time, “we” as a collective industry, were still crawling and trying to figure out this security thing applied at scale.
First off what's people, process, and technology? The terms people, process, and technology suggest the intersection of these three items like a Venn diagram. At the intersected middle is the solution perfectly balancing all three. The term people is the human side of this triad. Humans are the operators the strategy and elbow grease to ensure the job gets done. Process is the organization and the X's and O's of how people and technology will work together, it's always a way to organize work so it can be automated. Technology is the technological pieces doing what humans either can't or doing it faster than a human can creating massive efficiencies.
It’s now 2019. Our security industry is at a light jog headed into a run. Our industry has matured a ton, and it’s continuing to mature and advance. Blanket answers of People, Process, Technology is not enough anymore. Let me offer an analogy to make my point--a fine dining experience at a restaurant. Your experience at this restaurant is dictated by service and how you are greeted when you arrive, presentation of the table, the ambiance of the restaurant, the menu, and most importantly how the food is prepared, served, and most importantly flavors of the cuisine. The chef, who usually has as a direct say in all these things, deals with people, process, and technology. A chef deals with the staff of the restaurant and kitchen, a chef defines processes for line-cooks and interactions with the wait-staff, and chef needs to have the right tools or technology to do the job. To say that People, Process, Technology are the only inputs to a success restaurant is flawed. There’s much more that goes into a successful experience for the patron so they want to return. If you told a chef that his or her people, process and technology is what makes them successful, I’m positive they would disagree. Running a successful restaurant is much more than these three things. It’s the ingredients, it’s the recipes, it’s the pairing food types on a menu, great chefs will also consider textures of the food, it’s the many years in culinary school practicing how to make a perfect soufflé, it’s food presentation (which is an art form), my list can go on. All this, the customer experience, transcends people process and technology.
People, process, and technology is becoming a curse phrase. It’s how I can quickly sort out who is taking the short cut in security by offering high-level, abstract, not-applicable answers. It’s also how I personally sort out those working as a tourist in the security industry versus those that are true security professionals.
One thing you need to know about people, process, technology is that it assumes you are working backwards from a known solution. If you know exactly what you want, standardizing on these things can be a way to categorize your effort into a work break down. The issue in security in most folks don’t know the solution.
So, next time you offer people, process, and technology as a blanket response remember you aren’t helping anyone. We need security blueprints that considers people, process, technology, but also factors everything else such as security protocols, attack vectors, pieces of the kill chain, specific capabilities of an enterprise security program. Being able to offer this level of blueprint and expertise only comes from years of expertise.
