"People, Process, and Technology"
Back in 1999 when I formed Counterpane Internet Security, Inc., I popularized the notion that security was a combination of people, process, and technology. Back then, it was an important notion; security back then was largely technology-only, and I was trying to push the idea that people and process needed to be incorporated into an overall security system.
This blog post argues that the IT security world has become so complicated that we need less in the way of people and process, and more technology:
Such a landscape can no longer be policed by humans and procedures. Technology is needed to leverage security controls. The Golden Triangle of people, process and technology needs to be rebalanced in favour of automation. And I’m speaking as a pioneer and highly experienced expert in process and human factors.
Today I’d ditch the Triangle. It’s become an argument against excessive focus on technology. Yet that’s what we now need. There’s nowhere near enough exploitation of technology in our security controls. We rely far too much on policy and people, neither of which are reliable, especially when dealing with fast-changing, large scale infrastructures.
He’s right. People and process work on human timescales, not computer timescales. They’re important at the strategic level, and sometimes at the tactical level—but the more we can capture and automate that, the better we’re going to do.
The problem is, though, that sometimes human intelligence is required to make sense of an attack, and to formulate an appropriate response. And as long as that’s the case, there are going to be instances where an automated attack is going to have the advantage.