How to define efficient security processes

Every process has to have an owner. The owner is the person accountable for the success of the process. The owner is not who executes the process. Those who execute the process are the executors.

The owner defines how the executors have to perform the process and they have to perform it as defined.

The owners do not need to define the process completely. They can define some steps of the process at a high level. In that case, the executors can decide how to perform those steps.

For any step defined by the owner, the executors cannot change how to do it. If they think the process is wrong, they have to escalate it, but they have to execute the process as defined.

Managers must measure executors by how they follow the process, not by its results. The owner must be measure by the process results.

Although owners have the last word (and the accountability) for the process results, it is intelligent that they listen to executors. Executors can have good feedback about a process as they are the people more near to it.

When owners have to define new processes, they have to test them first on a sample of the organization. We call this a pilot or laboratory. In the pilot the owner tests the process in a real environment. One benefit of a pilot is that it does not affect the whole organization. Another benefit is that, for a pilot, you do not have to train all the organization to know the new process. You have to train only the executors within the sample.

The pilot should give the owner real and actionable data about the process. The data should show if the process works or not. If the process does not work, do not mind changing it as necessary.

If the first pilot shows that the process needs only minor adjustments, the owner can expand it. If the process needs major changes, it is better to make them, and repeat the pilot on the same sample.

For security processes, the owner will be a member of the security team. The owner does not have to have a special role. If you lead the infosec team, you should not be the owner of any process. Naming owners is a way of empowering your team.

We can use this method when the executors are other security people and when they are end-users too. For example, imagine that you want to change the process for resetting the password. First, you have to assign an owner. The owner will research different methods for resetting passwords. Then, they will write a process draft. The owner will test this process draft on a small sample of the organization. The sample should be as diverse as possible. Include “difficult” stakeholders from the beginning. You do not want to test a new process with them at the end. If they have objections, you want to know them as soon as possible. Train executors on the sample on the process, and request them to execute it. Get their feedback. Do not ignore any feedback. Act on any input. Any objection in this small sample will appear many times when the owner expands the pilot. Adjust the process as necessary and repeat. Then, expand the sample and repeat until all the company has executed it.

As we have said, we can apply this method when executors are security people too. Imagine that you want that a team of four people starts doing forensics analysis. First, you have to name a process owner. The process owner will need to research what are the characteristics of a good forensics process and write it down. Then, they will train their colleagues on how to execute it. When there is an opportunity to execute it, one of their colleagues, one executor, will execute it. The owner will measure the success of the process and will get feedback from the executor. Depending on the results and the feedback, the owner will need to adjust the process. If it is necessary, they will even need to change it completely. If results were good enough, the owner will be able to extend the pilot. We repeat these steps: measure the results, adjust the process, expand the pilot.

A well defined and established forensics process helps producing repeatable high quality deliverables. Without a process, the variance on the quality of the deliverables will be higher.

TL;DR:

  • Name a process owner.
  • Let the owner investigate, get feedback, and define a draft for the process.
  • The owner will train a sample of the executors on the process.
  • Let executors execute the process on a pilot or laboratory (a small sample).
  • Verify that the process is working or adjust it or change it completely
  • Repeat on the same sample if results were bad. Expand the sample if the results were good.
  • Learn, adjust, and expand the pilot until you have implemented it on the whole company.

Leave a Reply

Your email address will not be published. Required fields are marked *