We have all been repeatedly told that corporate cybersecurity posture is an interconnected blend of three things: people, process, and technology. However, when we learn about successful cyber attacks against a company, we usuallt hear that the root cause is EITHER a human error (e.g. Steve opened a malicious email attachment) OR a technical failing (e.g. the Cisco VPN was vulnerable to remote code execution). Very rarely do we hear a story that is not a one-sided tale describing the failure of either the users or the technology. The reality is that a successful cyber attack is usually the result of a failure in all three areas of cybersecurity, not least of all, PROCESS.
“Process”, as it relates to cybersecurity, is typically a reflection of an organization’s overall culture, and more specifically, the behavior of its employees. If the corporate culture promotes a “laissez-faire” attitude (i.e. don’t worry about it), this will directly impact how the employees behave and how the cybersecurity team reacts to incidents and even the implementation of things like patching, monitoring, threat hunting, vulnerability management, penetration testing, and of course, the configuration of security controls.
Although changing an entire organization’s culture and behavior can be a daunting and near-impossible task, changing cybersecurity behavior by implementing repeatable, measurable processes can be relatively painless and it can drastically reduce your vulnerabilities, and harden the network against attackers.
Let’s take the example of doing a configuration audit on your network infrastructure. These are the devices that are critical to how the network functions and includes routers, switches, firewalls and VPNs in this category.