People, processes, and technology, or PPT, are the three pillars of any cybersecurity strategy. As businesses seek to improve their security maturity, they need to find ways to improve upon their PPT as well.
Processes constitute the routine, repeatable practices that businesses use when it comes to cybersecurity—both in day-to-day operations as well as before, during, and after a security incident. In this blog, we’ll dive into the overarching role of process in cybersecurity, including the ways it should be implemented and measured for continued success.
Processes lay out how a business acts regarding all aspects of cybersecurity. When creating and implementing cybersecurity processes, businesses need to consider all possible angles to ensure the processes have full coverage over various practices and procedures that involve security. This could be anything from daily network administration to new user onboarding to security solution management as well as incident response (IR) and other key procedures.
Behind every process, regardless of when or where it happens, needs to be a consistent methodology. Everyone involved with security will have different approaches to the way they react and solve problems during an event. Having a consistent methodology behind processes ensures that everyone is pulling in the same direction and covering all the same bases, no matter the incident.
Another important characteristic of effective cybersecurity processes is that they must be dynamic. Cybersecurity constantly evolves as threat actors change their tactics and approaches. So, defenders need to ensure that their processes are just as adaptive. To this point, it is crucial to have an after-action process in place. This allows the team to reflect, track metrics, and use those metrics to find areas of improvement.
Although they can’t be set in stone, processes must also be stringently documented. That way, all members of the business can clearly understand them and their roles in them. Doing so allows businesses and their security personnel to act in a steady, proactive manner as opposed to an ad hoc, reactive approach to cybersecurity.
As businesses mature their cybersecurity posture, their processes must follow suit. Mature cybersecurity processes are comprehensive, as well as documented and dynamic as detailed earlier, but there’s another key characteristic that bridges the other cybersecurity pillars. Cyber-mature organizations adhere to processes across the entire business. This means every person at the company—even those without cybersecurity in their job description—follows processes as laid out by the security team and understands their role in them.
Organizations rolling out their cybersecurity processes need to be cognizant of the fact that they won’t get it 100% on their first go. Cybersecurity processes are iterative; they require tweaking and correcting as the business changes—and as cyber incidents occur.
Ultimately, the most important thing about implementing processes is to have them ready before an event occurs. This is especially critical for processes like IR where not having anything in place could spell disaster for the company. One can’t possibly know how the business will perform in the heat of a cyberattack, but having some sort of processes laid out beforehand will do a world of good compared to having nothing.
A major portion of this process is laying out escalation tracks. As events gain severity, more and more stakeholders will need to get involved across the company. So, it’s best to understand who needs to be included when developing new processes.
When implementing new processes, while it’s important to make them as comprehensive as possible from the get-go, they need to be stress-tested and further tailored to ensure they meet the needs of the business. To start, using prior incidents or activities from the company’s history serves as a great benchmark. Considering the various aspects of the event, run the new processes through their lens. A good process will address most, if not all those aspects, setting it up for future success.
Red, blue, and purple team exercises also help to streamline this stress-testing before processes are put under fire in an actual incident. Activities such as wargaming or tabletop tasks help uncover if someone is not aware of their role or if communication is lacking during the detection, response, and containment processes.
Starting small here is key; it’s best for all stakeholders involved to know their roles and become familiar with their responses. Then, as cybersecurity posture matures, more layers can be involved to ensure full coverage when a process is kicked off.
To assist in process implementation, we’ve created a guideline for creating and improving cybersecurity processes under the CLEAR model. Learn more about what that means here.
Of course, organizations can’t possibly improve upon cybersecurity processes without understanding their efficacy. And, that is impossible without metrics to measure them. In the beginning, these don’t need to be tracked in fancy reports; those will come into play as the processes mature. Just understanding them at their core is essential for being able to adapt and improve processes.
Here are a few KPIs to consider when evaluating cybersecurity processes:
With these and other KPIs established and tracked, businesses can measure how effective their processes are, and subsequently improve upon them in the future. Alternatively, understanding these metrics and how they relate to cybersecurity efficacy also helps companies determine their ROI for security as a whole. Offsetting the cost of cybersecurity PPT against the potential costs of a breach enables the organization to understand just how valuable investing in cybersecurity is to their operations.
Understanding the role of processes is only part of the bigger cybersecurity picture. Ultimately, the sum of each pillar (PPT) is greater than its parts but is only truly as good as the weakest link. To evaluate how your business’s cybersecurity posture stacks up, download our Security Maturity Model eBook and see where you can improve and iterate.