Security Maturity: The Role of Process in Cybersecurity

People, processes, and technology, or PPT, are the three pillars of any cybersecurity strategy. As businesses seek to improve their security maturity, they need to find ways to improve upon their PPT as well.

Processes constitute the routine, repeatable practices that businesses use when it comes to cybersecurity—both in day-to-day operations as well as before, during, and after a security incident. In this blog, we’ll dive into the overarching role of process in cybersecurity, including the ways it should be implemented and measured for continued success.

How process defines cybersecurity

Processes lay out how a business acts regarding all aspects of cybersecurity. When creating and implementing cybersecurity processes, businesses need to consider all possible angles to ensure the processes have full coverage over various practices and procedures that involve security. This could be anything from daily network administration to new user onboarding to security solution management as well as incident response (IR) and other key procedures.

Behind every process, regardless of when or where it happens, needs to be a consistent methodology. Everyone involved with security will have different approaches to the way they react and solve problems during an event. Having a consistent methodology behind processes ensures that everyone is pulling in the same direction and covering all the same bases, no matter the incident.

Another important characteristic of effective cybersecurity processes is that they must be dynamic. Cybersecurity constantly evolves as threat actors change their tactics and approaches. So, defenders need to ensure that their processes are just as adaptive. To this point, it is crucial to have an after-action process in place. This allows the team to reflect, track metrics, and use those metrics to find areas of improvement.

Although they can’t be set in stone, processes must also be stringently documented. That way, all members of the business can clearly understand them and their roles in them. Doing so allows businesses and their security personnel to act in a steady, proactive manner as opposed to an ad hoc, reactive approach to cybersecurity.

As businesses mature their cybersecurity posture, their processes must follow suit. Mature cybersecurity processes are comprehensive, as well as documented and dynamic as detailed earlier, but there’s another key characteristic that bridges the other cybersecurity pillars. Cyber-mature organizations adhere to processes across the entire business. This means every person at the company—even those without cybersecurity in their job description—follows processes as laid out by the security team and understands their role in them.

Implementing effective cybersecurity processes takes iteration

Organizations rolling out their cybersecurity processes need to be cognizant of the fact that they won’t get it 100% on their first go. Cybersecurity processes are iterative; they require tweaking and correcting as the business changes—and as cyber incidents occur.

Ultimately, the most important thing about implementing processes is to have them ready before an event occurs. This is especially critical for processes like IR where not having anything in place could spell disaster for the company. One can’t possibly know how the business will perform in the heat of a cyberattack, but having some sort of processes laid out beforehand will do a world of good compared to having nothing.

A major portion of this process is laying out escalation tracks. As events gain severity, more and more stakeholders will need to get involved across the company. So, it’s best to understand who needs to be included when developing new processes.

When implementing new processes, while it’s important to make them as comprehensive as possible from the get-go, they need to be stress-tested and further tailored to ensure they meet the needs of the business. To start, using prior incidents or activities from the company’s history serves as a great benchmark. Considering the various aspects of the event, run the new processes through their lens. A good process will address most, if not all those aspects, setting it up for future success.

Red, blue, and purple team exercises also help to streamline this stress-testing before processes are put under fire in an actual incident. Activities such as wargaming or tabletop tasks help uncover if someone is not aware of their role or if communication is lacking during the detection, response, and containment processes.

Starting small here is key; it’s best for all stakeholders involved to know their roles and become familiar with their responses. Then, as cybersecurity posture matures, more layers can be involved to ensure full coverage when a process is kicked off.

To assist in process implementation, we’ve created a guideline for creating and improving cybersecurity processes under the CLEAR model. Learn more about what that means here.

Evaluating processes by measuring KPIs

Of course, organizations can’t possibly improve upon cybersecurity processes without understanding their efficacy. And, that is impossible without metrics to measure them. In the beginning, these don’t need to be tracked in fancy reports; those will come into play as the processes mature. Just understanding them at their core is essential for being able to adapt and improve processes.

Here are a few KPIs to consider when evaluating cybersecurity processes:

• Coverage: What aspects of the business have a cybersecurity process associated with them? Identifying these gaps helps to establish which processes need to be created and which may need to be altered based on changing nature of the business. It could even include evaluating your cybersecurity solutions and their vendors to ensure they fully meet your needs. Additionally, are there processes in place for various types of attacks, including ones that end in a breach? Processes need to be set up for all potential scenarios, even the worse possible outcomes. Identifying these gaps will not only help improve processes overall but prove to compliance auditors that the business is keeping processes up to date.
• Redundancy: If a responsible person is somehow unable to carry out their duties for a specific process, the result can be catastrophic. Train multiple individuals for the same aspects of a process to ensure that nothing slips through the cracks.
• Mean times: Cybersecurity is all about speed. These metrics are important to evaluate how a business’s threat detection and response capabilities are performing. Commonly included are Mean Time to Detect, Mean Time to Respond, and Mean Time to Contain. All these mean times help an organization identify how its processes work in real-world scenarios. In the early stages, these metrics can be difficult to quantify, but having a general idea of time (was it minutes or hours, or worse, days?) is a good start. As the cybersecurity program matures, these will become more granular.
• Event severity: Not all security events are made equal. Some may be small nuisances; others, critical, business-defining incidents. Tracking the severity of each event helps shape processes, especially as they relate to escalations. There’s no need to bring in the CISO or CEO for every little thing, but they will certainly need to be involved when a big event happens.
• Company-wide adherence: Is everyone on board for supporting the business’s cybersecurity? Do they know what role they play? Carrying out routine cybersecurity training ensures that people know how important cybersecurity is to the company, and what they need to do to support that endeavor.
• Available documentation: Are the processes laid out in a way that everyone can view and understand? Without established documentation, employees can’t understand their part in cybersecurity. This rings especially true as new members are added to the team. Track the number of stakeholders who have reviewed the documented processes to ensure everyone is bought in.

With these and other KPIs established and tracked, businesses can measure how effective their processes are, and subsequently improve upon them in the future. Alternatively, understanding these metrics and how they relate to cybersecurity efficacy also helps companies determine their ROI for security as a whole. Offsetting the cost of cybersecurity PPT against the potential costs of a breach enables the organization to understand just how valuable investing in cybersecurity is to their operations.

Maturing cybersecurity processes and programs

Understanding the role of processes is only part of the bigger cybersecurity picture. Ultimately, the sum of each pillar (PPT) is greater than its parts but is only truly as good as the weakest link. To evaluate how your business’s cybersecurity posture stacks up, download our Security Maturity Model eBook and see where you can improve and iterate.