The Cybersecurity 3-Pillars; People, Process, Technology as the bedrock!

Digital Transformation over the years

The world has witnessed a few transformations, and by that I meant digital transformation. A simplified digital transformation definition refers to, the adoption of digital technologies to improve or create new business process, customer experiences and entire organisational cultural changes, to adapt to the new world changes, business needs and exemplary customer experiences.

Since the 1950, also known as the Pre-Internet-era with the birth of microchips and semiconductors, that forms the bedrock of the upcoming digital technologies we have seen today. The Pre-Internet-era last till around 1990s when the creation of the Internet took the world by storm, enables quick connectivity across the globe and redefined business operations around the world.

Internet enables quick and easy access to information, hence leading the change of the way how business deals or interacts with their customers. This is due to the change of human behaviours such as interactions with others, searching, and making purchases online. This period known as the Post-Internet-era also witness the birth of Google and social media giant Meta (f.k.a. Facebook).

The launch of iPhone in 2007; known as the Mobile-era, transformed the way how people interact, socialise, and again shifted the foundation established two-eras before. It is this period, which opened a world of new possibilities with the introduction of new social norms and drive the need for a fresh round of digital transformation. With a mobile device on hand, we can easily interact with anyone, at any time of the day and even faster. The new norm has somehow again disrupted every industry around the world and software-centric players will have the upper hand in this new world. Somehow, the term “Digital Transformation” was also first coin around this period in the year 2013.

A pandemic struck between the years 2022 to 2022, known as the Post-Pandemic-era was the temporary transition between the Mobile-era and the current Generative-AI-era. During the post-pandemic-era, digital transformation and innovations accelerated at pace never seen before, with “Working-From-Home” a norm during that period. Businesses were again forced to rethink and redesign the how will they serve their customers in a non-contact and remote world. With shifts in business needs and models, companies were forced to move their digital transformation initiatives from drawing board to reality to create a better customer experience.

The current GenerativeAI-era leads the changes again globally, with many industry players and business, diving into the trends and hope to be among the top providers of such services or technologies or adopters of the innovative technologies. Early studies and use-cases and found that AI-driven solutions can further enhance customer service delivery and even security, creating new highways between businesses and customers.

People, Process, Technology as the foundation

Regardless of which of the era we have laid down earlier, the People, Process and Technology remains as the common observation across the timelines. We can trace the origins of the infamous People Process Technology (PPT) framework back to the 1960s, coined by Harold Leavitt, or also known as the ‘Diamond Model’. The model represents the intimate relationship between critical functional units within an organisation with interdependent components. This means that when one of the components moves or changed, it affects the remaining two components.

In today’s modern and rapid changing technology landscape, regardless the presence of a solid foundation cannot be overstated. Especially when it comes to building a strong cybersecurity governance, policy, and posture within an organisation. Hence, adoption of the PPT framework enables and guide organisations to built up a resilient cybersecurity posture and guidance.

People

“Human is the weakest links in cybersecurity”.

That is a common line, that I would often hear when I am interacting with industry players trying to market their cybersecurity solutions to me. But, not surprising, intentionally, or unintentionally, humans or People is the common threat vector that is linked to 74% of data breaches and played a role in phishing attacks and stolen credential. That is based on a study by Verizon in the year 2023.

In dealing with People, consider these structed approaches beginning from strengthening your organisation staffs.

• Roles and Responsibilities: Define clear roles and responsibilities for supporting and maintaining cybersecurity within the organisation. Ensures that everyone (including the CEO) knows their part in maintaining security and protecting organisation data and assets.
• Awareness and Training: Regularly educate to all employees on the importance of of cybersecurity hygiene and best-practices, including regular training and awareness session to keep everyone informed and up to date.
• Engagement and Interactions: Involved employees in cybersecurity process or table-top-exercise (TTX). Encourage employees to report suspicious activities and particulate in cybersecurity drills.

Process

Establish policy or process or procedures in place, ensures and provide a consistent and guidance in managing and responding to cybersecurity incidents. A incident report plan is recommended so everyone knows what to do, when the time arises. Rapid response to threats and efficiently reduces the impact of a cyber breach and contain the threat quickly.

• Policy Development: Consider a framework to be adopted (such as CISv8 Critical Security Controls or NIST Cybersecurity Framework 2.0) that provides guidance to how to develop and document your organisation cybersecurity policies and procedures. Ensures that these policies aligned with your organisation goals, and regulatory requirements.
• Risk Assessment: Consider a yearly thorough risk assessment to identify potential vulnerabilities and threats. And priorities these implementations based on the adopted framework.
• Incident Response Plan: Create a detailed Incident Response Plan in addressing cyber incidents, including data breaches. Regularly review and evaluate the plan to ensure its effectiveness and everyone knows their roles and what to do.
• Continuous Improvement: Establish a process to ensure continuous improvements and review of established policies to ensure improvements of such policies to remain effective and updated against new cyber threat landscape.

Technology

People and Process forms the foundation, supported by adopted Technology that functioned as an invisible shield. Tools and technologies adopted or deployed needs to be aligned with established policies that helps the I.T. and Security teams in effectively performing their roles. Firewalls, Intrusion Detection and Prevent systems to Encryption are some of the most common examples adopted by organisations.

• Inventory and Control of Enterprise Assets: Implement solutions that automated and track all managed devices and approved software within the organisation usage.
• Secure Configuration: Ensure all enterprise assets, including software are configured securely (can consider CIS Critical Security Controls, IG1/IG2/IG3) to reduce vulnerabilities and attack surface areas.
• Access Control: Adopt technologies that enforce and control access, ensuring only authorised users can access sensitive system or information and limit the access duration to sensitive system or information.
• Continuous Vulnerability Management: Deploy tools or solution that monitors, continuous scan for vulnerabilities, and Patch Management to ensure systems are updated and secured.
• Data Protection: Adopt encryption technologies that protect your data At-Rest/At-Transit to protect and safeguard sensitive data including PII data.
• Network Monitoring and Defence: Implement network monitoring, to report, detect and response to suspicious threat in real-time.

?

To conclude

The intertwined unbreakable relationship between the People, Process, Technology framework and Cybersecurity means the efforts to build or maintain the cybersecurity posture is an on-going process. As evidenced by the changes across the timelines since 1950. We need to embrace them and not be afraid of change, as being proactive, we can ensure the organisation is always a few steps ahead and protected against ever-changing cyber threat landscape.

#cybersecurity #digitaltransformation #peopleprocesstechnology #CIS #CISv8 #CISCriticalSecurityControls #NISTCF2 #NCF2