Your Cyber Security products don't do anything

By Bill Dunnion

In today’s commodity-driven world, our collective society is constantly told what to buy: quick purchases that can solve all our problems with a single product. It’s literally what the advertising industry is built on. Whether it’s a quick-fix, money-making scheme, a new weight loss product, the latest in fashion trends—every product promises something nothing short of miraculous. 

The question: Is the cyber security world any different? It’s always easy to sell point solutions to address the challenge of the day, but as I’ve alway said about point solutions—it’s not polite to point. Thinking that a single product will suddenly protect an organization from an army of cyber attackers just isn’t feasible. 

In our new world of always on and always connected, so too are the nefarious individuals who are constantly in the shadows trying to infiltrate every system possible: people behind the keyboards running the scams and taking advantage of everything they can. So if people are at the heart of the problem, so too must people be at the heart of the solution. 

Like any business process management endeavor, there first needs to be a profound account of everything from corporate culture, to how people work in groups and the associated systems needed for divisions to do their jobs, how those systems and groups interact with other systems and groups and, of course, how individuals ultimately interact with other individuals and systems.

In short, placing people at the forefront of any cyber security solution is essential for success. It’s at this stage where an intrinsic understanding of how people interact with each other and the organization creates the road map to success. Furthermore, it also creates the perfect opportunity to enable input from teams and individuals to ensure that new security measures don’t actually hinder business—yes, that can happen. 

By involving people in the initial phase of the project, educational factors can be addressed along with best practices, and more. Simply put, when everyone knows what is happening and is involved and engaged, the next step becomes far easier to implement and manage.

Once the human equation is addressed, the next logical phase is creating the process. By leveraging stage one findings—the human factors of business—processes become very clear as to what will work and, more importantly, what won’t. And, again by garnering people’s input early on, the mass adoption of new processes becomes far easier, eliminating everything from the simple ignoring of process, to the more dangerous aspects of bad or cumbersome processes that foster issues such as rogue IT. 

Lastly, there is the product aspect of the entire initiative. Once the people and process aspects are solidified, choosing the right product becomes easy. It’s simply a matter of best fit. And whether that’s based on something as simple as feature / function, to interface, and more, all of the heavy lifting as to what will work best has already been done. To put it simply, the people have spoken.

As the title of this article states, cyber security products don’t actually do anything until configured properly to address people, process, and business needs. The idea of plug and play in any realm is never a good approach to solving a problem. But when the trifecta of people, process, and product is addressed in an appropriate manner and sequence, it’s amazing what can be accomplished.