Occasionally, I am confronted by someone who says, “Technology is irrelevant! It’s the people, or the process, that is important.” And I admit that I have taken their bait and given a snarky comeback like, “Fine, let me donate a copy of Norton Security Suite 1997. Now, go secure your enterprise.” I confess. That’s not very charitable response.
I propose that, for a few moments, we all put aside our dogmas about cyber security, and let me preach about the balance between people, process, & technology. I proclaim that none of these is “more important“ than either of the other two. Our charge it to keep all three legs of the stool in harmony. Yes, we will constantly shift our focus to shore up an area that needs emphasis. It’s about balance & perspective, not importance.
Certainly, way too many organizations place more emphasis on the technology than they should, falling into the trap of believing that they have once again found a silver bullet that fixes all their problems. We technologists are too often guilty of shouting on the street corner, “If you install ABC, you will be saved!”
So, why do so many of us fall into that trap of seeing technology as our savior? I think it comes down to something as simple as ‘The Serenity Prayer’.
“Lord, grant me the serenity to accept the things I cannot change,
The courage to change the things I can,
And the wisdom to know the difference.“
How do we fail to put that wisdom into practice? We blame people for being the weakest link. We can’t change them. Or, how about process improvement? It can be next to impossible to create meaning change. The culture of the organization might be stifling. Or it is so complex that change is slooooooooow.
What do we have easy control over? THE TECHNOLOGY! It doesn’t fight back. It does what we tell it to do. (Well, we’d like to pretend that it does.) And it’s really easy to blame when it fails.
PEOPLE… Allow me to submit for your consideration… Contemplate those things you can change. We can’t change “users”. But we CAN make our message more engaging, more compelling. We can borrow from we know about “user experience” design. We can change our attitude from “the weakest link is behind the keyboard” to “they know security is important, but their first responsibility is to do what they are paid to do”. How can I adapt my message so that it is not just read, but embraced?
PROCESS… I could write a book on process change and you, dear reader, can probably teach me as much as I could you. (My college degree was in process, but that was a long time ago and lots has changed.) Accept that there is inertia in organizations to change. Wishing that things were different is frustrating and, quite frankly, a complete waste. What can we change? We can change our approach. Example…
TECHNOLOGY… Recently, I had lunch with a security architect of a multi-national corporation who observed that her organization has a bad track record for selecting technology – not just for InfoSec, but also IT, and even non-IT purchases. She asked herself, “What are the underlying causes as to why my company has a track record of making poor long-term product decisions, especially when we make excellent decisions in other areas?”
She was pretty confident that she knew the answer, but until she asked the right question, and then went about making sure her suspicions were correct, she was not ready to change something much bigger than herself. Now, she has a plan and is determined to lead a change in the culture that will have an impact on the entire organization. Armed with her wisdom about what she can and cannot control, I have every confidence that she will be successful. And only then will she be prepared to identify technologies that her company will (hopefully) procure from me.
And me? I’m perfectly happy accepting that. It’s the right thing to do.
Can I get a big “AMEN”?