People, Process or Technology - Which hits the spot?

Last week I gave a presentation on the subject of “Managing the Human Dimension” to Iain Sutherland’s excellent Independent Information Security Group. It got me thinking about the balance between the human and technology aspects of IT Security and how it continues to change. I’m often asked for my opinion about the most important aspect of IT Security. And I have to admit that my opinion changes every year.

In the early days of IT Security there were many academics in the USA, including some leading lights such as Bruce Schneier and Dorothy Denning, who firmly believed that everything in security could be solved with technology alone. They eventually saw the light and quickly began to focus more on the softer aspects of security. In contrast, there were also a handful of maverick, crusading consultants, such as Donn Parker at SRI International and our own Martin Smith in the UK, who preferred to play to their strengths and promote the importance of the human dimension. But in practice most CISOs quickly discovered that the logical starting point was to focus on policy, processes and standards, because that was the easiest way forward and the most obvious way to engage the Executive Board and kick off a long range Enterprise programme.

Personally, I always took a balanced view. I was introduced to the classic triangle of people, processes and technology in the Royal Dutch/Shell Group back in the early nineties when it became fashionable for business process re-engineering. I often mapped security standards and initiatives against it, but typically found the outcomes to be far from balanced. And the focus was not static. Ten years ago, if you’d asked me were the biggest bang for the buck could be found, I would have pointed to platform security. But today, it’s different. Over the last few years, the weak spot has been human behaviour. So naturally that’s where the attention has been shifting. And in fact where much of the UK Government focus has now been concentrating. And to be honest, it’s where I’ve been able to make the greatest single improvements in security in recent years.

And the balance is now changing again. Over the next few years, I believe we will see the emergence of new security technologies that will provide unprecedented capabilities to see and control security events across the enterprise. And these capabilities will only be successfully harnessed through the use of new policies, processes and technology. So again, the focus will switch away from the human dimension towards business processes and automation.

Of course, anyone that knows me will understand that I’ve always believed that a process-driven approach is not the true way forward for an Information Age organisation. Repeatable processes are a prescriptive, Industrial Age solution to promote traditional, static business activities. But scripted approaches have the unfortunate side effects of restricting business agility and dumbing down people’s capabilities. They won’t deliver the goods in a fast-changing business world, run by empowered individuals. Ideally we should provide staff with an up-to-date set of tools, smart training and a clear set of objectives and standards. We can then allow them to improvise and exceed expectations by constantly transforming the quality of our services. In fact it is perfectly possible to design 100% script-free business processes, IT systems and supporting infrastructure. But unfortunately the business world is far from ready for such radical ideas. So for some time to come, I expect that processes will continue to be King in the business and security worlds.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Sir, I disagree. My first point is, computer systems are implemented with one purpose in mind - to control process. The workflow through a system is simply controlled by allowing or restricting access to parts of a system. Underlying infrastructure already has this capability but is, in general, only immplemented when violations are found or individuals complian that they canot do their job. Your arguement advocates controlling behaviour. I concur that setting boundaries and frameworks within which employess can operate is preferable to production line robots. It is my experience that to much control stifles innovation and generally leads to high levels of dissatisfaction amongst employees. I believe that it is more relevant to focus minds on simple things such as pride in a job well done. But this is an outdated value that has little place in todays business world. Results are important but it is the manner in which they are achieved that carries equal importance. To have security technologies that control behaviour shall simply add to the already Orwellian vision breeding further mis-trust and dissatisfaction. Do you really want this? My second point is that, in industries such as the pharmaceutical industry, we are bound by law to follow process. The reason for this is to ensure that the quality of a product is not affected by the cavalier "fast-changing business world, run by empowered individuals" attitude. I get concerned when I see opinion such as this. A bad drug will kill people. My job is to provide quality assurance for systems that are integrated into the design, development and production of healthcare products. I am assured of one thing, that if a poorly designed system were at the root cause of a drug that affected you or one of your relatives, then you would do all you could to seek justice. Typically, the fast-changing business world is simply out there looking for a fast buck. It is marketers acting on an ill-researched hunch or sales who want everything done by yesterday that drive this mythical fast-changing business world. This invariably leads to poorly designed and sometimes worthless systems being implemented. Such rot causes are usually the result of business managers who perform inadequately. Therein lies the need for controling behaviour perhaps? I can cite many instances where the root cause of failure stems from bad decision making inspired by the fast-changing business world. I speak about rail crashes, clinical trials making people severely ill and fuel storage depots blowing up. IT infrastructure will have been part of each system and the decisions to implement a given design solution will have been based on the fast-changing business world style of decsion making. I do not stand in the way of change but simply ask that people do their job properly, that business managers think through the consequences of their decisions rather than pushing the boundary of acceptable risk in search of the fast buck. Yours sincerely, Graeme Blundell.
Graeme, Thanks you for your comments. You make some very interesting points, but I would argue that the examples you give are ones from a traditional mass-production-oriented, Industrial Age business environment, rather than the forward-looking Information Age one that I was imagining, when speed, agility and diversity are likely to dominate the business landscape. That's not to say that Industrial Age industries will not exist. They will, but they'll be less significant, in much the same way as we've witnessed the decline of the Agricultural Age. Mass production of pills to highly regulated standards is an Industrial Age business. There might be alternatives in the future, with widespread knowledge available on tap, perhaps enabling self-manufacture of medicines for example? Mass transportation is also an Industrial age concept. Things may be very different in the future. We might all be riding Segways powered by environmentally-friendly Stirling engines. As always, there will be risks and benefits, as well as winners and losers. I do believe also that computer systems do much more than control processes: they facilitate and leverage communications and relationships, capabilities that will become increasingly important with P2P focused Social Computing, which offers a bigger exploitation of IT than anything we have ever experienced. Behaviour can and should be influenced for the desired output, otherwise bad practices will dominate. In the modern world I believe that this is best achieved through smart communications, incentives and environmental factors. Big Brother will of course exist whether you like it or not. Pervasive surveillance is simply a part of future life. It's just a question of who will exploit it to best effect: business, government, criminals or security. David Lacey
Hi David, I read with considerable interest your post as well as the one from Mr Blundell. My view has not changed based on either post, rather has been bolstered by both - One size does not fit all. That said, I have been enlightened by good points in both posts and thank you for highlighting the upsides of people, processes and technology. As a complete aside, may I encourage you, your readers, and colleagues to read my 'back page Editorial' in the January issue of SC Magazine, and subsequent issues in 2007. I take the reader on a journey into the cyber world. Your review and critique would be very much welcomed. Edward P Gibson Chief Security Advisor Microsoft Ltd UK
Hi David, With outsourcing prevalent in the Information Age, a new element - Partners, could be added to the original 3 IT Security elements you described. I consider it is important to include these in the IT Security equation - where appropriate. Shane Tully Security Architect
Shane, Excellent point and very true. Relationship management is vital to effective security management. But things do have more impact when grouped in threes, so that would rather spoil the presentation of the the model. David Lacey