Olivier Reuland
Pragmatic Information Security and Privacy Expert

People, Process and Technology

Security is not just about technology.
security
privacy

Why Are People, Processes, And Technology Important For Information Security And Privacy?

Information security and privacy are essential for protecting the confidentiality, integrity, and availability of an organisation's information assets. You can achieve great things when these three elements are aligned and working together effectively. However, when one of these pillars is weak or out of balance, it can hurt the entire organisation.

People, process, and technology are like the three musketeers. They work better together than apart.

People

People refer to the employees, contractors, third-party providers and stakeholders, including everyone from the CEO to the frontline staff. Security is everyone's responsibility. One wrong link clicked, one setting misconfigured, one email sent to the wrong person, or one disgruntled employee can all create havoc.

People are the most important asset of any organisation. They are the ones who create and deliver products and services, interact with customers, and drive innovation. Without talented and engaged employees, no organisation can succeed. But as much as they are important, they are also a significant risk, the biggest, possibly.

Employees are the first line of defence against cyberattacks. They should be aware of the organisation's key threats and risks. They should know where to find policies and processes on how to protect sensitive assets. Awareness training is key here. They should also be trained on how to identify and report suspicious activity.

Other important factors to consider are background checks when hiring new employees and limiting access to only the assets they need to do their jobs.

Tips

  • be succinct in your comms with employees
  • use relevant examples that speak to them
  • use humour

Processes

Processes are the systems and procedures that organisations use to get things done. They provide a framework for employees to work within and help to ensure that tasks are completed efficiently and effectively. When well-designed and implemented, processes can help organisations improve productivity, quality, and customer satisfaction.

Processes are also key to good information security practices.

Organisations should have a comprehensive information security policy that outlines the organisation's security goals and objectives. These processes should be designed to protect information assets from various threats, including unauthorised access, data loss, and malicious attacks. An important aspect also includes procedures for incident response, which is the process of responding to and recovering from a security breach.

Your organisation’s policies and processes should be reviewed and updated regularly to reflect changes in the organisation's environment.

Technology

Technology is the tools and systems that we use to support our people and processes. It can be used to automate tasks, improve communication and collaboration, and provide insights into data. When technology is used effectively, it can help us improve efficiency, productivity, and innovation. But it’s also a multiplying force for attackers, who can increase the scale of the damage they can inflict.

Technology is an enabler for most organisations, but also for attackers.

You need to consider information security and privacy from the beginning when considering which technology to use and how to use it. When done right, it is possible to use more technology safely.

  • Organisations should use defence in depth when designing their security controls protecting their information.
  • These technologies should be properly configured and maintained.
  • Organisations should regularly test their security systems to ensure they work properly.

Key takeaway

  • Security and privacy are everyone's responsibility.
  • PeopleProcesses, and Technology are all key pillars of information security and privacy and must work together to be effective.
  • Your organisation should have a comprehensive information security policy in place.
  • Your employees should be trained on security good practices relevant to their role.
  • They should know how to identify and report suspicious activity.
  • Security processes should be well-defined, documented, and followed by all employees.
  • Organisations should design systems and processes with information security and privacy in mind from the ground up.

Next steps

  1. Review your policies. Can you find them? Are they easy to read and understand? Ask around to see if people know about them and what feedback they have about them.
  2. Train your employees. This may include things like security awareness, where to find policies and how to respond to an incident. Have you received training yourself? Was it useful and informative?
  3. Test your employees. Do you run phishing campaigns? Do you know if your teams follow good security practices? Measure this so that you can improve.
  4. Measure your security posture. Do you know how good your security is? Are you using any framework to measure this and improve?

The more you sweat in practice, the less you bleed in battle