Over the past 24 years, we have had hundreds of conversations with companies that have experienced a cyber security incident. These incidents have ranged from unauthorized access to data theft, ransomware, phishing, corporate espionage, extortion and more.
Through conversation, we’ve learned that many of these incidents could have been avoided had these companies been properly prepared. Some of these companies spent a small fortune on security technology. Some had an Information Security (Infosec) training program in place for their staff members, others had a disaster recovery program in place or were being monitored by reputable companies.
So why did they all experience a cybersecurity incident? Put simply, while most all the companies were doing “something” they did not factor in each of the three critical components that make up a sound security framework. These three are People, Process, and Technology – often referred to as the Golden Triangle of security. All these companies were missing at least one of these elements. Let’s talk about what each of these refers to.
The People
The people part of the golden triangle means that you have the proper resources on the task at hand. These people are qualified to do the job you ask of them. They have the right skills; they are probably certified, and they have adequate experience. You can trust them with your security.
The Process
The process component ensures that you have a solid plan in place, which includes conducting regular assessments and performing the checks and balances of a technical, operational, or procedural nature. The process plan utilizes the expertise and skills of the resources you have assigned to the task. You’ve identified the key steps and desired outcome of the project and can measure the success of the plan or process you have initiated.
The Technology
Of course, technology is a critical component of the Golden Triangle. It’s the foundation that supports the People that are responsible for the Process that has been developed. It is also the most confusing aspect. There are so many options available, and selecting the right product or service can be a daunting task.
The Problem
Technology is often where companies go off the rails and succumb to some cleverly marketed security software, hardware, or monitoring service. They believe that technology is the answer to their security prayers. We know it is not. We know there is no silver bullet.
Technology fails for many different reasons. We find that it is rarely set up correctly and left to the fate of a curious hacker. We often find that the reason we can evade, or bypass security controls is that they are not properly set up. Technology can also outgun the operator’s understanding of how to manage, monitor and maintain the technology. It’s just too complicated for the user to truly benefit from it. It’s like the new iPhone that everyone wants because of all the neat things it does, but you’ll never use or don’t have the time to spend learning about.
Another reason is that wrong technology is been purchased for the challenge that it needed to solve because the process wasn’t thought through or developed at all. Lack of knowledge, lack of expertise, and a lack of a clear plan all adds up to purchasing the wrong product or service.
Lastly, with so many “applications” available, companies are quick to purchase many, thinking more is better. In fact, less can be more if the right product or service is considered. Also, with all these “apps” to manage and monitor, system or network admins are run off their feet. They can’t keep up with all the tasks required to make sure the apps are working and producing the reports or results they need. These tasks often get skipped (or not done at all) turning the very expensive technology your company purchased into a paper weight.
The Solution
The moral of this musing is that if you are considering security, you must include all three components of the golden triangle if you want the best possible defense against attack. Be sure you have the right people to determine a strategy. Use those people to create the plan or process and purchase the right technology for the right reasons and for the right task (not just because everyone else is drinking the cool aid).
Once all three components are in place, get it validated from a security company that knows where to look for soft spots in your plan. If there is one, they will find it and you will know where you need to place more effort, resources, or money. The result is that by following the people process and technology framework and validating it, you will be far ahead of others, and a few giant steps ahead of a bad actor that has targeted your organization.
We are available for a free consultation to discuss your existing or future planned security efforts. We will let you know what we honestly think. While other security companies need to peddle security products and services, we sell our 24 years of security knowledge in the industry. We remain proudly brand agnostic, and free from any of the pressure or encumbrances of selling you the security products that we literally break for a living.