Often, we hear security professionals talk about the application of “People, Process, and Products” as being the critical tenets of a good security program. While this overall statement is accurate, I would suggest there are a few additional P(s) that we could add to the fold, which I believe are crucial to effectively defining and managing a modern information security and compliance program. One could state that, “people following process while appropriately leveraging products” embodies the list of must-haves, and I don’t disagree. However, I believe we could further expand upon these baseline tenets, in that doing so will help us more effectively execute by settling chaos that exists within the broader diverse landscape, and to better articulate the respective posture, risks and challenges for greater success and understanding by diverse audiences such as the senior leadership team, board of directors, investors, employees, regulators, and customers, all of which consist of both technical and nontechnical stakeholders.
Regulation and standards such as PCI DSS, HIPAA, FISMA, EU GDPR, and others are continuously revised to address emerging concerns and ultimately ensure relevance, adhesion, and institute of broad range of domain-specific measures affecting overall security posture and compliance.
I submit the following for the “Eight P(s) of Enterprise Information Security and Compliance”, with brief descriptions for each.
- Policy – Establishes the high-level definition and institutes the “tone-from-the-top” from the business that drives appropriate behaviors that align with the business. For information security this impacts the confidentiality, integrity, and availability of the information relevant to the respective business. Policy provides definition for leadership, employees, customers, investors, customers, business partners, and shareholders regarding the business’s stated position on information security. Policy establishes overarching structure without getting into the detailed instructions for how to do it.
- Process – Establishes standards that a business may be required to adopt, whether as required by a regulation, or self-adopted by desired business posture. In environments that store and process credit and bank card sensitive data, the Payment Card Industry Data Security Standard (PCI DSS) provides a clearly defined standard for handling these systems and sensitive data which must be adhered. Similarly, the United States government requires adherence with standards such as Federal Information Security Modernization Act (FISMA), based on NIST standards that provides a prescriptive operational standard that must be adhered. There’s the Health Insurance Portability and Accountability Act (HIPAA) for those that handle and transport patient heath information and records. There’s the series of ISO 27000 standards that guide processes and practices towards a certifiable accredited security standard. In Europe, there’s the EU General Data Protection Regulation (GDPR). And there are still many more, depending on the business you operate. In several cases, a business could be subjected to all, or combinations, of these standards relative to the environments they operate, the data they hold, and the geographies and customers that they serve.
- Procedures – defines the step-level guidance relative to execution, whether systems administration, data classification and management, incident response, business continuity, investigative analysis to name but a few. Procedures serve as essential execution instructions and workflows to fulfill various standards and regulations affecting the business.
- People – are those that are assigned to carry out the various subject-specific and general activities of the business. Senior leadership, management, technical subject matter experts, all employees, partners (see below), product developers, systems and application administrators, data owners and others all work collaboratively to ensure that security objectives remain met. Recruiting, retaining, training, and mentoring our people provides both higher morale and stronger purpose in executing the jobs that we hold, including our role in good security. From people whose daily job is dedicated to the security function, to people whose job is marketing or sales, to engineers that develop products, to leaders and managers: all are vital in the overall effective security program. As I have maintained for the better part of thirty years, “effective security involves everyone”.
Effective Security Involves Everyone
People (all) are the most important and valuable asset in an effective security compliance program, for without collaboration and highly-effective people, the other P’s may just sit there without cohesive orchestration.
- Product(s) – The technologies, whether hardware, software, or service, that aid the organization in achieving its security objectives. Products must be integrally aligned to the process, where silos of point solutions will introduce complexity and disparity relative to the ideal concept of advancing the analysis of information which pours in from many vectors. The concept of integral effective security depends on all of this information being correlated to represent the true picture of what’s going on, and guides us on where to focus our priority.
- Partner(s) – To truly affect “integral security”, partners must serve as an extension of the organization’s workforce, such as with an integrated-security management partner, cloud application and service providers, or IT outsourcing partners. Partners are crucial to sustaining an effective security framework, and should be aligned with the organization’s security and risk management programs. If we consider cloud-application partner(s), their security standards are at least equally as vital as the organization’s own firewall gateway.
- Performance – an important part of any program, not just information security and compliance, but all programs, there must exist the ability to measure, dynamically adapt, and readily advise on the performance effectiveness of the security program. This includes but is not limited to topics such as contained threats, incidents at all statuses (identified, treated, analyzed, transferred, prevented), as well as compliance posture relative to the state of each respective regulatory objective. By continuously measuring performance, we can more readily adapt our information security programs in a manner that allows us to focus on what matters most to the business. By measuring performance with diverse perspectives, we can begin to see things that could matter more. We can also see things that might matter less. Measuring performance allows us to dynamically adjust, re-prioritize and refocus our resources and activities towards the issues that matter most to our business.
- Persistence – is the constant vigilance and proactive research that allows us to understand emerging risks and threats before they affect the business. While this topic could fall under the category of Performance (above), it is highly beneficial to illustrate the importance of persistence, and quantify what it means, when advising both technical and non-technical stakeholders and regulators, as doing so demonstrates that the compliance program has specifically instituted a defined means for staying ahead of emerging threats and how relevant research is applied to the risk management program, whether through close alignment with a partner or internal team research. This empowers us to quickly adapt and perhaps predict the future matters, allowing us to augment and adjust our programs. One clear example of this would include the rapid emergence of new technologies categorized among the Internet of Things (IoT). These fascinating and rapidly expanding technologies have a deserving place in both homes (thermostats, smart refrigerators, voice-activated gadgets, etc) and business (healthcare products and devices, office and manufacturing automation, environmental sensors, control devices, etc). Therefore, our persistent research and agility to adapt our programs allows us to embrace these technologies as they enter our work environment and provide value to the business without compromising our security posture and compliance objectives.
I believe that by expanding our viewpoint and vocabulary of an effective enterprise security program (such as, in the Eight P’s versus traditional three P’s), we will yield higher return on our security investment, we’ll do a better job of adapting to new technology and threats, we’ll better understand our risks, and we’ll prioritize our focus in areas that matter most to the business, while inviting and involving all of the business into a collaborative and highly effective framework for information security, risk management, and compliance.
And, as the saying aptly continues, “Security is a Continual Journey, not a Destination“. This adventure is driven by people and innovation, guided and measured by a sound framework that correlates all the “P(s)” in seamless orchestration.
As always, I hope you find this post helpful and beneficial to your business.
Till next time
PS. To schedule a free 15-minute IT security consultation with me, put some time on my calendar!