At a recent security conference, security practitioners were asked to list some of the “important security processes” in their security function. Some responded by asking, “What qualifies as a process?” Others named specific processes such as visitor management, investigations, background checks or security clearance, reviewing critical server audit logs, training, access control (both physical and logical), software patching process, security officer patrols, incident response, departing employee exit interviews and so on.
Out of the many dozen practitioners asked this question, only one mentioned a process for managing security. This is not surprising.
For many organizations, security management evolves over time out of incident response, or the need to oversee certain aspects of organizational security such as executive protection or supply chain security, or to deal with regulatory compliance. As organizations grow, security needs grow, and sooner or later (but not always) someone is designated or hired to fill a full-time security position. Having been created in response to one or more security problems, the security position often starts in problem-solving mode and before long, the security program grows to become a collection of security practices and activities that are mainly the collected solutions to past problems.
However, for many companies, security is changing from the reactionary function described above to a proactive function that looks and plans ahead. Periodic risk assessments are performed, recommendations are made and the security program advances.
But at the same time, security programs tend to backslide. Processes and procedures are put into place, but they often evolve away from what was initially established. The organization also changes, creating unseen security gaps that are not addressed as quickly as they should be.
As the organization grows and operates, maintaining effective security can become an almost overwhelming activity. Practitioners work too-long days that overflow from one into the next. The daily question changes from “What should I get done today?” to “What can’t I get done today, and what will the consequences be?”
Not all days are equally stressful, and all days do pass. In any given year, a lot gets done, but more often than not when looking back, it seems like more progress should have been made.
This situation hits the most dedicated and sincere security practitioners the hardest, as they take their jobs seriously and take their responsibilities to heart. It can be difficult not to view security shortcomings as personal shortcomings, because “the buck stops here” is a somewhat built-in attitude for many practitioners.
However, there is a very big difference between performing security and managing security, and most security practitioners were performing security duties long before they were managing them. The primary source of stress — the lack of an appropriate process for managing security — is not obvious; thus, neither is the solution.
Process vs. Stress
The term “process” sounds technical, making a discussion about “a process for managing” seem clinical or academic. Many people have negative experiences with organizational processes, for example, mindless execution of prescribed actions regardless of whether or not they fit the circumstances. In some organizations, processes have been implemented by mandate and without sufficient planning and piloting — sometimes resulting in confusion and chaos.
I have talked to security practitioners who bristle at the thought of “management processes.” They are caring and thinking people who do not want any more mindless bureaucracy than what they already have to deal with — and they especially do not want to be the ones creating or mandating it. To them, more process equals more stress, not less.
These ideas and attitudes — while completely understandable — put completely out of reach the most important tool that a security practitioner can have: a sound process for managing security.