Think process, not technology. Einstein once said, “Genius is 99% perspiration and 1% inspiration.” Meaning that hard work and persistence and staying the course are what is going to see you through. I am not sure about the ratios but you get the idea. The same can be said about cybersecurity, there is a lot of focus on the technical side of things and sometimes not enough focus on the rest of cybersecurity.
I can go to 10 different successful companies and I will most likely find 10 pretty good cybersecurity operations within their IT department. They will have strong modern perimeter security such as firewalls, and monitoring and metering tools. Sometimes they will have some type of anti-malware regime in place such as antivirus, antispam and antimalware software. Usually they will have good spam filters, and may even have some type of internal scanning such as IPS/IDS, to look for threats within the company network.
What About The Rest?
But just look a little deeper and normally the story will be very different. There will be telltale clues to the real security of the organization. When was the last time the rank and file employees were trained on cybersecurity awareness? If they were what was the training? Was it a seminar or real interactive training with up to date examples and some type of testing afterward? Was the training ongoing and frequent or is it something they did a while back and do not keep up with? The answers to these questions are not always so encouraging.
Many of these companies sacrifice process to expediency, or may even not look at the process at all. And this can be a deadly mistake in the era of advanced persistent threats and multiplying attack surfaces. More needs to be done but it needs to be done in the right area. The bad guys are not going to come in the front door if it is locked and bolted and reinforced. They are going to find another way.
What’s the Process
And that is where process comes in. The right process is going to cover your entire attack surface systematically. Process, not technology is the idea that will bring all of the elements of security together. The process not technology is going to keep you moving forward long after the threat types have changed and moved on to something different. Process is the hard work, the persistence, the staying the course that will determine your future cybersecurity posture. Technology is only part of the picture.
Pay attention to your process and the technology will follow when it needs to. Lead with technology and you will always be scratching your head on the latest attack. This even applies to technology. I remember on many occasions going into a well-staffed IT department with good security people and working on some perimeter security technology, and I notice they have not patched servers in many months or even years, or they do not have good admin password procedures on their servers.
It was frustrating to see this. And was indicative of a very real problem, a process not technology is the answer to this. These processes need to be followed and kept updated, giving the bad guys nowhere to go but to some other victim.