{"id":6138,"date":"2024-11-07T09:00:00","date_gmt":"2024-11-07T15:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/cybersecurity-operations\/process-in-creating-successful-security-posture"},"modified":"2024-11-07T09:00:00","modified_gmt":"2024-11-07T15:00:00","slug":"the-power-of-process-in-creating-a-successful-security-posture","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/11\/07\/the-power-of-process-in-creating-a-successful-security-posture\/","title":{"rendered":"The Power of Process in Creating a Successful Security Posture"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

COMMENTARY<\/span><\/span><\/p>\n

The quality of information security guidance has increased in recent years \u2014 especially regarding the focus on fundamentals \u2014 but our industry often fails to emphasize establishing those fundamentals as replicable processes. <\/span><\/p>\n

Fundamentals, policies, training, <\/span>tabletop exercises<\/a><\/span>, and technology are resources that are limited in their respective usefulness \u2014 each is a finite and frequently subjective piece of a puzzle. In an industry epitomized by the executive phrase “Learn to do more with less,” achieving consistent end goals requires recognizable, replicable, and flexible processes from start to finish.  <\/span><\/p>\n

In order to adopt a common lexicon, let us define “process” as instituting, training on, evaluating, and rehabilitating a series of practitioner-defined expected actions a person may take in response to a stimulus. Examples of stimuli include a 911 call, endpoint detection, or an onboarding ticket from HR. Importantly, the process provides a framework for activity, is replicable, generalizable, and is driven by the practitioner’s physical, mental, and digital capabilities<\/span>.<\/span><\/span> <\/span><\/p>\n

Psychology professor and human error expert James T. Reason first formally proposed the “Swiss Cheese Model” of causation in 1990. His model theorizes that the breakdown of complex systems often involves weaknesses across multiple defenses (slices) aligning across a moment of opportunity that results in the breakdown. Writer and technologist <\/span>Cory Doctorow recently illustrated an excellent example of this<\/a><\/span> in the alignment that results in a successful financial scam. In the context of security, the Swiss Cheese Model tells us that one cannot reliably anticipate how and when the weaknesses in your systems will line up to present an attacker opportunity without maintaining focus from the start on integrating replicable, dependable processes into your workflows. <\/span><\/p>\n

As a nascent technologist working technical support in Congress, my daily commute into Washington, DC, often centered around podcast listening. One favorite was the defense-themed <\/span>podcast <\/a><\/span>Bombshell<\/a><\/span>, often repeating mid-episode the tagline “Process is my Valentine,” analogizing the criticality of process to something as important and unpredictable as national security. The phrase resonated with me not only due to autism (after all, we love our self-imposed routines) but also because of my decade of experience in emergency services response prior to my career in tech.  <\/span><\/p>\n

As a 911 dispatcher responsible for responding to thousands of people myself, the process became necessary. I had to work out: <\/span><\/p>\n

\n