When I served on a panel about data breaches at the ISACA Silicon Valley chapter conference recently, the moderator asked, “To prevent data breaches, which is more important: process, technology or people?”
My fellow panelists (three CISOs and two highly experienced consultants) all answered ahead of me: “People.” I was surprised. Here I was the only awareness specialist on the panel, yet my answer was process.
Without process, I explained, the people don’t know what to do. Without process, there is no right way to implement technology. Process is implemented through governance. As I discuss in Advanced Persistent Security, without governance your security program is an accident.
Governance is composed of standards, policies, guidelines, procedures and other documents. The processes contained in the documents are supposed to define how technology is maintained. They are supposed to state how users are to behave in different circumstances. They are supposed to define how everything operates within an organization.
The reason that is important is that without defining behaviors, user actions are random. Some users might behave securely. Some won’t. Without defining how technology is maintained, some administrators might securely configure the technology under their charge. Some won’t. Before you can focus on the people in a security program, you must be able to define exactly how you want the people to behave.
One of the greatest problems that render awareness programs ineffective is that they rely upon training developed by vendors, without regard to organizational governance. Training acquired from vendors might cover random best practices, but those best practices might not be applicable to your organization and the threats you face. Even worse, such training tends to be limited to two to three minutes, which means it can’t cover much or reinforce the materials effectively.
Without governance, not only is technology configured, implemented and maintained randomly, but budgeting is likewise random. Governance should also define that technology is implemented in a way that anticipates the inevitable user failings.
I fully concede that most governance programs are even worse than awareness programs. Many organizations apparently believe that governance consists of creating documents that will sit on the shelf and only be pulled down to show auditors. Someone is tasked with writing best-practices documents that receive little review and are not really intended to be implemented. More often than not, a driving factor in the creation of the documents is that they be tailored for ease of proving compliance, not for creating a more effective security program. Frequently, even when the governance is intended to be complete, not all required governance documents are developed, so the body of governance is incomplete.
Awareness programs should focus on informing people about the behaviors specified within the governance documents, not random best practices. A good awareness program tells people what they should be doing, not what they should be worried about. Assuming governance is complete, when faced with a social engineer who wants an employee to do something wrong, the employee would follow procedures and not fall prey to the attacker.
Before you address the people problem, you need to ensure you know specifically how you want the people to behave, and especially how you intend to inform people of those expectations. That is process. In the Process-Technology-People triad, it is where it all begins. It might be politically correct to say people come first, but it is still wrong.