Security is more than a process… It’s a proficiency

It’s time to revisit the Schneier Maxim. Since he coined it in 2000, Bruce Schneier’s observation that “security is a process, not a product” has been enormously influential in the security community. The Schneier Maxim articulated for a generation of security professionals, myself included, the fatal flaw in any security strategy that expected technology to solve security problems. If you believed it could, Schneier went on to write in Secrets and Lies, you understood neither the problems nor the technology.

The Schneier Maxim was philosophical as well as practical, challenging people to think and act differently in regards to information security. Schneier wasn’t the only one at the time who saw the need for change. But with “process not a product” he managed to encapsulate what that change meant better than most. The aphorism helped usher in a more strategic approach to information security, starting with the fact that you actually had to have a strategy beyond plugging technology product after technology product into your network.

The security field has come a very long way in 15 years. We’ve seen radical changes in our environment and in the challenges we face. We’ve experienced equally impressive transformations in the sophistication and operational capabilities of enterprise security, despite the often gloomy mood of a community that has been plagued lately by a seemingly endless stream of public failures and breaches. Even the most techno-romantic security executive today is probably willing to admit that success or failure depends as much on their processes as their gear.

In fact, most security programs rely on many processes to meet their objectives. Instead of “a process,” monolithic and singular, security is actually a portfolio of organizational processes that can be as complex and specialized as the equipment running within the infrastructure. Some of these processes complement one another. Others compete and conflict. Most demand unique skills and knowledge, from threat intelligence to assessments and audits to incident response. And each of these processes is an individualized enterprise asset that, like other resources, must be made to interoperate efficiently and effectively within the whole.

Imagine juggling. With two hands, two eyes, and a moderate amount of coordination between, most people will be pretty good at juggling one ball. Throwing another ball into the mix is also usually manageable. Add a third ball and you start weeding out contestants. Some people will never learn to juggle three balls at once. Some, through combinations of natural talent and long practice, will become amazing and move to six or seven balls, or maybe bowling pins. Or chainsaws. But even when everyone is juggling the exact same things, some will always do it better, faster, with more skill. They just end up more proficient at it.

Managing a security program has much in common with juggling, which is why we often use the sport as a metaphor. Like when someone tells you they have too many balls in the air to worry about your problems right now. And not just balls. Managing all the security processes in play within your average security program is like juggling balls, beanbags, knives, and cats. Some security leaders do it with skill and style. Others struggle just to keep it all in motion without getting cut or clawed. Even when everyone manages to avoid injury, there is a difference between doing a thing and doing that thing well.

Which is why we need to update the Schneier Maxim, or at least add a corollary to it. Allow me to propose one:

Security is more than a process. It’s a proficiency.

It’s no longer enough to recognize that security requires a process. Good security demands a slew of processes, organized and orchestrated as a coherent system. And you have to be good at all of them to really pull the whole thing off.

Proficiency is about people. Machines can’t be proficient and neither can best practice frameworks or workflow documents. For at least as long as the Schneier Maxim has been in effect our community has described security as a people, process, and technology challenge. The corollary builds on the Maxim to take security full circle. The Schneier Maxim put process on equal footing with technology. The corollary reminds us that, in the end, security is people-centric. A company can have the best security technology in the world, the most well-designed security processes and best practices in the industry. But these resources won’t manage themselves. If security leadership can’t proficiently keep those disparate, specialized assets in balanced operation, sooner or later everything comes crashing back to the ground.