When it comes to security, knowing you have a problem is only half the battle – if that. Figuring out how to solve the problem efficiently is what really matters.
And to do that, you need to determine the root cause of the problem. Is it a people issue, such as lack of enough security personnel? Is it inefficient processes that hamper communication within security teams? Is it a lack of the right technology for enabling security operations?
For CISOs, answering these questions is rarely easy. Most problems stem from a complex mix of people, process, and technology deficiencies, but pinpointing their sources can be a real challenge.
It becomes easier, however, when security leaders have a consistent framework in place for assessing the effectiveness of their people, processes, and technology – which is why I recently developed such a framework for IDC. Here’s a look at the guidance it offers and how CISOs can leverage it to identify the root cause of cybersecurity shortcomings, as well as maximize the impact of security investments.
Backstory: The challenge of assessing the root cause of security shortcomings
Let me begin by sharing a little backstory to explain why IDC developed a guide to assessing people vs. process vs. technology issues in cybersecurity.
Recently, I helped advise an IDC client whose security team was struggling to close thousands of vulnerabilities. They knew about the problem, and they knew in theory what they had to do to fix it – patch or otherwise remediate the vulnerabilities – but they were consistently struggling to close open vulnerabilities faster than they discovered new ones.
Getting to the root of the issue required figuring out whether the problem lay with the company’s security personnel, processes, or technology. Did they simply not have enough staff to remediate vulnerabilities quickly enough? Did they lack efficient or consistent remediation processes? Were their vulnerability detection tools falling short by, for example, generating false positive alerts about vulnerabilities that didn’t actually exist?
As my IDC colleagues and I talked through these possibilities with the client, we realized that this type of challenge – sorting people from process from technology weaknesses in the realm of cybersecurity – was a widespread challenge for organizations of all types, not just this one client. Despite the fact that cybersecurity spending remains a top priority for businesses (Security Spending Still the Top Priority, IDC, September 2023), cybersecurity outcomes have only grown worse in recent years, with threat categories like ransomware setting new records for the scale and impact of attacks.
If businesses are tossing more money at cybersecurity yet experiencing worse outcomes, we deduced, they were likely not spending the money as effectively as possible. They might be overinvesting in security technology, for example, while underinvesting in people qualified to put that technology to maximize use.
The complex interplay of security people, processes, and technologies
It’s easy to understand why a business might fail to maximize the impact of its cybersecurity investments. Identifying the greatest weaknesses in cybersecurity strategies is rarely easy due to issues like a lack of comprehensive tracking of cybersecurity metrics and an inability to determine how spending on different areas impacts outcomes.
You won’t know whether hiring more security staff leads to a reduction in successful breaches, for example, if you don’t continuously monitor data in both of these areas. Nor can you determine whether investing in a new patching tool improves your vulnerability remediation velocity if you’re not tracking the relevant data.
A framework for identifying cybersecurity strengths and weaknesses
But by monitoring the right information and analyzing it in a consistent way, businesses can effectively distinguish people and process from technology issues. For example, when it comes to people, they can track the following metrics:
| Metric | Purpose |
|---|---|
| Cybersecurity team head count | Track the total size of the cybersecurity team to establish a baseline for the scope of personnel resources |
| Spending on cybersecurity personnel | Monitor the personnel cost of cybersecurity, which typically accounts for the largest share of spending |
| Hours worked by personnel on planned work | Monitor how much time staff spend performing routine work (like security monitoring) and determine when staff are overstretched |
| Hours worked by personnel on unplanned work (such as working after-hours to respond to a major incident) | Monitor how much time staff spend responding to unexpected, time-sensitive challenges and determine whether problems like ineffective tools or inefficient processes lead to excess unplanned work |
This data provides quantifiable visibility into the security investments that a business has made in the “people” category. By comparing this data with metrics related to processes and technology, security leaders are in a position to draw informed conclusions about where they are succeeding and where they are not.
As a basic example, imagine that cybersecurity personnel head count has remained unchanged for years and that open vulnerability counts have significantly increased during the same period. That would suggest that the organization simply doesn’t have enough staff to keep up with increased rates of vulnerabilities, and/or that it would benefit from better vulnerability detection tools. Of course, if data related to technology investments shows the organization has improved its vulnerability management technology in recent years, then business leaders could rule out technology shortcomings as the root cause of vulnerability management challenges.
This is a simple example, of course. In the real world, people, process, and technology issues often overlap in complex ways, and identifying the root cause of a security challenge is rarely as simple as comparing just two data points. But when you have a rich set of data available to track the effectiveness of security people, processes, and technologies in equal part, you become capable of making informed decisions about even the most complex security shortcomings.
That, at least, is the philosophy behind the framework we’ve developed to help cybersecurity leaders think through their strengths and weaknesses using the people-process-technology model as a guide.
Learn more about IDC’s research for technology leaders.
International Data Corporation (IDC) is the premier global provider of market intelligence, advisory services, and events for the technology markets. IDC is a wholly owned subsidiary of International Data Group (IDG Inc.), the world’s leading tech media, data, and marketing services company. Recently voted Analyst Firm of the Year for the third consecutive time, IDC’s Technology Leader Solutions provide you with expert guidance backed by our industry-leading research and advisory services, robust leadership and development programs, and best-in-class benchmarking and sourcing intelligence data from the industry’s most experienced advisors. Contact us today to learn more.
Christopher Tozzi, an adjunct research advisor for IDC, is senior lecturer in IT and society at Rensselaer Polytechnic Institute. He is also the author of thousands of blog posts and articles for a variety of technology media sites, as well as a number of scholarly publications.
Prior to pivoting to his current focus on researching and writing about technology, Christopher worked full-time as a tenured history professor and as an analyst for a San Francisco Bay area technology startup. He is also a longtime Linux geek, and he has held roles in Linux system administration. This unusual combination of “hard” technical skills with a focus on social and political matters helps Christopher think in unique ways about how technology impacts business and society.
Read More from This Article: Differentiating people, process, and technology problems: A guide for CISOs
Source: News