Good Cybersecurity Revolves Around Three Pillars – and Each is Crucial

Posted on by Robert Ackerman

After many years trying to protect themselves from cyberattacks by spending ever more money on technology, companies have predictably improved their techniques and sometimes stopped cyberattacks cold. But they don’t come close to covering all the important bases. The biggest efforts continue to focus overwhelmingly on technology.

This is always considered a fundamental security pillar, as it should be. Yet there are two additional pillars – process and people – and they have long been far lower priorities, notwithstanding their significance. This is unfortunate: A broader security wingspan would fare better in blocking cyberattacks and breaches, even though many companies may not see things this way. 

The National Institute of Standards and Technology, a leading authority in cybersecurity, knows better, which is why it strongly recommends all three pillars as the backbone of any robust cybersecurity strategy--and leaving many IT security teams with a lot of ground to cover. There is no single defensive mechanism that can ensure security across modern distributed networks. To be able to defend well against current threats, IT teams need to take a layered approach.

Let’s start with the importance of focusing on people, typically considered the weakest security link. This is because human error or ignorance can unintentionally create vulnerabilities. Consequently, awareness and training are essential, and it’s insufficient to do the latter without taking into account constantly changing attack modes. Employees need to understand the potential risks, what they can do to mitigate them and how their actions impact the overall security of the organization.

Process refers to the set of procedures and policies in place to guide the interaction between people and technology. These can range from simple password policies to complex disaster recovery plans. These processes must be regularly reviewed and updated to match evolving threats.

For its part, technology refers to the tools necessary to defend against cyberthreats. Although it’s the single most important pillar, technology alone cannot secure an organization. It must be accompanied by well-informed people and sound processes. 

Even the regular implementation of leading security technologies won’t keep an organization safe if strategic processes aren’t in place or a security team doesn’t have the skills in place to manage them. By the same token, even the best processes and policies will do little to protect an organization if user awareness and adoption are low. 

Why do these two security weaknesses continue to exist? The answer appears to be due, in part, to competing agendas. Top executives and the board of directors at some companies may see cybersecurity as a priority only when an intrusion occurs, In contrast, the chief security officer and his team view cybersecurity as a daily priority. 

With conviction at cross purposes, disputes about the most relevant types of threats and the amount of spending required to protect data are not uncommon. If there have been no cyber breaches of late, business leaders might tighten the reins on the cybersecurity budget for a while, perhaps opening the company to an attack in the interim. Conversely, if there have been a number of threats recently, business leaders may reflexively decide to overspend on new technologies without appreciating the value of other non-technical remedies.

Ironically, a survey of cybersecurity practitioners by Gurucul, a southern California-based cyber risk management company, found that cybersecurity budgets are often wasted by an overabundance of tools. The survey found that 53% of respondents believed that they squandered more than half of their cybersecurity budget. Cyber pros said they couldn’t be effective in detecting and mitigating threats because too many tools created too many time-consuming false alerts. 

Meanwhile, research underscores that many companies are doing a sub-par job on the cybersecurity education front, which explains why surveys have found that as many as 95% of data breach incidents are caused by employee mistakes. Employees typically get a day or two of training when they are hired and thereafter an annual brush-up. Much tends to be forgotten after a few months. Needed is more continuing educational interaction.

Making matters worse, research shows that one in four employees responsible for a breach lose their job within about a year, according to security firm Tessian’s "Psychology of Human Error 2022" study, even though many employees fall for a phishing email because the attacker impersonated a company executive. As a result, fewer employees report their mistakes. Seemingly dismissed is that the more current cybersecurity knowledge rank-and-file workers have, the less likely they are to make a mistake in the first place.

There are issues on the process front as well. This includes insufficient password protection. For instance, a study by Ivanti, a Utah-based cybersecurity firm, found that one in four employees reuse work passwords for a variety of personal transactions, opening the door to a potential data breach. The more a password is used, the more likely it will be compromised at some point. Not enough companies have stepped in to remedy this problem. 

It’s true that attacks and breaches cannot be totally stopped. The cyber backdrop, however, is far from hopeless. Embracing the three cybersecurity pillars with the appropriate means and measures can still materially improve security. The challenge is to embrace the discipline required to adopt a truly holistic approach. 

Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Security Strategy & Architecture

security architecture security analytics security operations security awareness security intelligence operational technology (OT Security) technology sovereignty professional development

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs