In recent years, there has been a noticeable improvement in the quality of information security guidance, particularly in the emphasis on fundamentals. However, the industry often falls short when it comes to highlighting the importance of establishing these fundamentals as replicable processes. Fundamentals, policies, training, tabletop exercises, and technology are all valuable resources, but they have their limitations and can be subjective in nature. To truly achieve consistent end goals, there must be a focus on creating recognizable, replicable, and flexible processes from beginning to end.

The concept of a “process” involves instituting, training on, evaluating, and rehabilitating a series of expected actions that individuals may take in response to various stimuli. These stimuli can range from a 911 call to an onboarding ticket from HR. A well-defined process provides a framework for activity that is replicable, generalizable, and based on the practitioner’s physical, mental, and digital capabilities.

The “Swiss Cheese Model” of causation, first proposed by psychology professor James T. Reason in 1990, highlights how weaknesses in complex systems can align to create vulnerabilities that lead to breakdowns. This model serves as a reminder that without consistent, dependable processes integrated into workflows from the start, it is difficult to anticipate how and when these weaknesses may align to create opportunities for attackers.

As someone with experience in emergency services response and now in the tech industry, the importance of processes has been underscored repeatedly. Whether it was working as a 911 dispatcher or navigating the complexities of IT security, mastering the process was essential for dealing with unpredictable environments and multiple simultaneous demands.

Establishing a practitioner-driven process is fundamental to running a successful security program. This approach not only prevents burnout among employees but also standardizes experiences and addresses gaps that may arise from ad hoc solutions. By prioritizing practitioners, evaluating environments, and implementing flexible frameworks alongside fundamental security measures, organizations can enhance their overall security posture and mitigate risks posed by malicious actors. Let’s make it more challenging for bad actors to exploit vulnerabilities and ensure a safer digital landscape for all.

Source link