Using the common PPP Framework (People-Process-Product), Systal’s Principal Architect Tim Watson explores the importance of maintaining equal focus on all three Ps in IT security.
It’s a well-known saying: “Two’s company, three’s a crowd”. Whilst this might apply to a dinner date or a tandem bike, it doesn’t make sense everywhere. In IT circles, talking about the three P’s might make some of you think of the Point-to-Point Protocol for serial network links (PPP), or perhaps the Star Wars character C-3PO as lots of us tech lovers are also sci-fi lovers. But now, the long-standing People-Process-Product triad comes to mind. “The three Ps” phrase is so prolific, it’s used for many other models, in medicine, personal performance, marketing, and first aid.
The People-Process-Product model is useful in many areas of life. In manufacturing, for example, you will achieve the best results by having skilled People, well-understood and clear Processes for them to follow, and the right Products to support the effort i.e. machinery, tooling and timely component supply. In the military, to achieve success in a deployment or engagement, you want highly trained People who can understand and execute orders well, Processes which are ingrained into them during training (e.g. clearing a weapon jam in seconds without thinking, just doing it), and Product – outfitting all squad members with a carefully selected weapon which is less likely to jam in the first place! Now think of the medical profession or commercial aviation, and how it could apply there.
Having one or two of the Ps squared away is never enough for success. We can clearly see the issues in a space exploration scenario. Having highly trained astronauts and a great launch vehicle, but poor mission control is going to bring a lot of risk to the mission. Equally, having a poorly tested rocket which could fail catastrophically, or an unfit astronaut would add risk even if the other two items are as strong as you can get them, within your time and budget limits of course – space travel costs a fair amount…
It’s clear that this concept is useful in all sorts of scenarios, so it won’t come as any surprise to find out that it helps in the IT security world as well. A weakness in one of the Ps can lead to different challenges:
Process
It’s all very well having bought one or (in most cases) several class-leading software Products to meet various IT security needs (a SIEM tool, a vulnerability management suite, endpoint AV/FW/IPS, penetration testing tools, and so on), but they won’t be much use without trained People to install and support them, and Processes for these people to follow in order to best operate them. Consider a new joiner to the SecOps team: can you point them to documentation which explains clearly and thoroughly how they will be expected to perform Vulnerability Management for the organisation? Or is that just knowledge in someone’s head? The latter will lead to those awkward training sessions with the current SME stumbling through it, uttering phrases like “This is how we got it to work the last time”. If that sounds familiar, then work is needed on the Process side of things.
As an ISO 9001 and 27001 certified company, we know all about Processes at Systal, with an impressive library of security best practices, templates, guides and plans we can utilise in our customer engagements. We can adapt these to fit the specific requirements, as often customers will have their preferred tools and ways of working to consider. We understand one size never fits all.
People
A different scenario could be you have the same set of shiny tools and a strong library of process documentation (which is regularly reviewed and tuned), but your hiring process is bringing in the wrong type of employee, who might be struggling to understand the technology, or unable to find and follow the processes. We’ve all met people who “Hate reading the documentation” and “Should be able to work it out myself”. This is where the People side is letting it all down.
Systal takes great pride in its people, we have many skilled and keen security staff in our company who can pull together into the right virtual team to complement our customers’ security organisation. We keep their skills sharp with regular training and encourage collaboration across teams to maximise their effectiveness.
Product
Now take the example of a customer who has their Processes as good as they can be, and plenty of highly-skilled, enthusiastic and adaptable People, but inadequate tooling. This could be a result of one of a number of things: budget-constrained hardware and/or software; poor lifecycle management (i.e. some tools are out of date, so they lack features/perform poorly); their chosen tools can’t integrate with some systems; gaps in the toolset which nobody identified; or the opposite problem: they just have too many which are a nightmare to manage – wasting everyone’s time. This is a Product issue.
Systal regularly reviews its preferred security product vendors, as things never stand still in this world. We make sure we can provide the best value and capability across different industries. What was right last year, may no longer be good enough. We stay close to our preferred partners to make sure we know what’s coming next.
It only takes one faulty leg on a stool to lead to failure, and it’s the same in IT security. Incidentally, why do stools usually have 3 legs? A 3-legged item will be stable on uneven ground, whereas 2 legs don’t provide enough support, and 4 tends to wobble. If there were 4Ps in this model, would it be difficult to balance them all successfully? Food for thought.
Want to Know More? Ask a Systal Expert
For more information and to discuss how Systal can help with your business’s People-Process-Product triad challenges, speak to one of our experts.
Tim Watson is a Network & Security Architect working for Systal Technology Solutions in the UK, with over 30 years’ experience in the IT industry. During his time at Systal, and previously AT&T and IBM, he has built a wealth of experience in all areas of IT, having created solutions for customers across many different industries, based on multi-vendor platforms. He currently holds several industry certifications, and more recently became a Sustainability Champion for Systal.
Contact Systal's Experts