It’s time we finally started treating security like a process

  • Posted on October 16, 2018
  • Estimated reading time 3 minutes

Nearly 20 years ago, an internationally renowned security technologist named Bruce Schneier coined a phrase that would be prophetic in the security industry: “Security is a process, not a product.”  

Written in 2000 in an article called “The Process of Security,” the now-chief technology officer of IBM Resilient lamented that enterprises were looking at things all wrong. He said they were putting all their focus on products, hoping to buy the perfect security solution off-the-shelf. But even then, Schneier sensed the fundamental flaw in this product-centric thinking. He knew there is no such thing as perfect security — especially when you enter human error into the equation.

Simply put: It doesn’t matter how strong the steel bars are on your windows. If you forget to lock the doors when you go on vacation and get robbed, it’s the process, not the product, to blame for your security breach.

Which is why Schneier argued we should focus more on security processes. Unlike products, processes could be perfected — or at least improved to an acceptable level of risk — to detect, protect and remediate security vulnerabilities.

18 years later: Some things have changed. Others haven’t.
What Schneier didn’t know in 2000 is just how much more vulnerable the security landscape would become. Today’s enterprises are nothing like those at the turn of the millennium. It used to be employees would almost always be working in controlled corporate environments, on controlled corporate PC’s. This “castle and moat” approach meant most sensitive data could be adequately guarded behind corporate firewalls. Not anymore. Today’s employees expect flexibility, to work from cafes, to share files on the cloud.

The level of threats, and the sophistication of attackers, has radically increased in tandem with our cloud and mobile workforces. In 2000, Schneier seems chiefly concerned with denial of service and buffer overflow attacks. Things like phishing or ransomware simply weren’t a concern at the time.

Unfortunately, one thing hasn’t changed much in the years since the article: our attitude. Enterprises and security professionals are still putting much of their attention on picking the right technology, and not nearly enough into composing and fostering the right security culture. This is something I see time again with our clients at Avanade. The feeling is if they haven’t been breached yet, then whatever they are doing is working. If they do get breached, they start to look for a point-solution to plug the hole. This mentality is dangerous.

The 80/20 rule for security
At Avanade, we believe that the people, processes and culture you put in place count for as much as 80% of your security success. The vendors and new technologies make up the rest.

No matter what your digital transformation or security goal is, you should always start by documenting your current processes, your environment, and how your people are already creating or preventing risks. Once you have defined the gaps and the overall processes to keep your unique environment secure, it’s a much smaller leap to find the right technology to get the job done.

Lack of skills, resources and expertise to blame
Understanding, designing and implementing a modern security process can be incredibly complex, and few businesses have the resources or expertise in-house to do it. The reason so many organizations jump to products first is, therefore, understandable: It’s the path of least resistance.

But, as security becomes a critical business risk, one that has grabbed the attention of everyone in the C-suite, security leaders need to flip the script. It’s time we finally took the advice handed down to us 18 years ago. It’s time we admit security isn’t a product, it’s a process.   

Want to learn more about this topic? Check out my new video below that digs into how modern ways of working are creating a demand for advanced security processes.

I also invite you to click over to our security webpage with a variety of resources

Daniel Krabbe

Great statement - and the quoting shows: Although we see a constant development and enhancement in technology, platforms and the way we technically work - Some things will (maybe) never change.

Further tools/solutions to ease the way of being secured/protected are constantly showing up in the market. And often disappears in a similar speed. Or if they persits tending to only give you a perceived security.

So let's focus on processes, training the human being and starting from; I am insecure to be prepared best!

November 1, 2018

Avanade Insights Newsletter

Stay up to date with our latest news.

Contact Avanade

Next steps

Talk to us about how we can bring the power of digital innovation to your business.

Modal window
Share this page