Security is a Process, Not a Product

Posted on Nov 30, 2016 11:33 AM by:

Security is a Process, Not a ProductDid you know that the most common type of security incident is the disclosure of sensitive or confidential information? It’s so prevalent, in fact, that it occurs at roughly twice the rate of security incidents caused by hackers, and three times the rate of security incidents caused by viruses/malware*

Furthermore, approximately 80% of those data disclosure incidents are caused, either on accident or on purpose, by internal staff.

Put simply, the greatest risk to security, but also the greatest asset, is not technology. It’s people.

And yet, as we consult with clients large and small, we routinely find that IT and Security departments are focused, with laser-like intensity, on security tools and technology.

Invariably, we also find that the leaders of these departments are struggling to demonstrate the tangible value the investment in expensive security technology is creating for their businesses.

It’s an unwinnable situation because throwing technology at a problem that is fundamentally not a technology problem to begin with will not yield (the right kind of) results.

To be clear, we are a big fan of security tools and technology! Our consultants have years of experience in the security industry, and can speak at length and with real-world, battle-hardened experience about them.

But while technology, like money, makes a great servant, it makes a terrible master. Effective security requires the integration of people, processes, and technology into the bigger picture of business strategy, value, and risk. Ultimately the integrity and security of your technical environment will reflect the maturity of the people and processes that manage it, not the other way around. Whether that’s a blessing or a curse depends on how well those other areas are being addressed.

Topics: Security