This is the second in a series of three blog posts focusing on Critical National Infrastructure (CNI) cybersecurity. This blog looks at the problem space through the lens of "People and Processes."
- Enterprise security challenges for CNI organizations: Overview
- Enterprise security challenges for CNI organizations: People and processes
- Enterprise security challenges for CNI organizations: Technical solutions
As mentioned in the previous blog post, CNI cybersecurity is not just a technical problem—technology and tools can be enablers to help reduce risk, but you should also identify the "people and processes" required to put good security practices in place.
"If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology." - Bruce Schneier
For those of you aware of the Open Systems Interconnection (OSI) model, you can see people as "Layer 8." To take the analogy further, you could say that organizational processes, governance and policies are "Layer 9." People are needed to put all the relevant pieces together correctly to reach the desired state of security.
People
Imagine buying a bookshelf from a certain Nordic flat-pack retail company. You have all the relevant parts and documentation to create the bookshelf, but you don't have the actual skills to piece them all together. If you continue without the appropriate skills, you may end up with a bookshelf that isn't fit for the purpose or, even worse, could actually be dangerous. This scenario could cause a catastrophic event within CNI organizations. Therefore, enabling Layer 8 security is paramount to enhancing the security posture of all CNI platforms. IT engineers and administrators must understand how to build, configure and integrate the various products to reach an agreed end state using repeatable and compliant methodologies.
Several security-related phrases bear this out, such as "security is everybody's concern," "security is a process, not a product" and "security is key to your business success." You can create a "security by design" culture and embed security processes earlier into the platform design and architecture phases by having trained and security-aware staff across the whole CNI organization.
There are many cybersecurity training areas that could be beneficial for CNI organizations. These include:
- CNI threat intelligence techniques
- Cloud security processes
- Data protection
- Data sovereignty
- Social engineering
Making this behavioral and cultural shift to a DevSecOps-focused mindset doesn't happen overnight. It takes perseverance and a willingness to change. CNI organizations need to fully understand all security and safety aspects before making any major changes. This understanding should come from a bottom-up and a top-down approach. Engineers and developers must embrace security via osmosis as part of a cross-functional team or through official training (either internal or external). Senior managers and CISOs should articulate the security requirements and risk management strategies across the organization so that every staff member understands why they need to build in security by default.
Processes
Security processes are designed as a series of steps to be followed as a consistent and repetitive approach or cycle to accomplish better security within organizations. For CNI organizations, stability and resilience are critical to drive continuous operations. Processes should be certified, repeatable and automated where possible.
In addition to individual internal processes, CNI organizations have requirements and governance policies laid down by various regulatory bodies. Being able to provide attestation to these requirements means implementing many processes, some of which could benefit from being automated.
Oftentimes, security risks are borne of honest mistakes, or people making necessary compromises to make technology usable on a daily basis. If a computer doesn't help a user encrypt a file and keep it encrypted through daily use, then a file goes unencrypted. If a computer doesn't help a user manage passwords, then the same password gets used for everything. It's human nature, but it's easy for computers to perform the steps that humans don't have the time or mental energy to do themselves.
Work with your users to discover what could be made easier through automation. Find the shortcuts people have to take, whether they like it or not, to save time and energy or just to make two applications work together, and then build automation to solve those problems. This can start with the IT and DevOps teams, where automation tends to be integrated, at least to some degree, with existing workflows already.
Expand the principle out to other users from there.
Conclusion
Improving and optimizing the way your users work is important to the security of your CNI organization. The more you provide users with tools and techniques to enable best practices, the safer your organization becomes at every level.
Discovering what users need can be a challenge, and it's important to implement solutions in such a way that they improve rather than slow down work. But this is a puzzle that can be solved with careful consideration and a lot of listening to the humans involved.
Find out what you can do to improve how data is processed. When it comes to automation, don’t try to automate everything in a “big bang” approach. Identify simple tasks to be automated then take the time to optimize the tasks first. Remember, if you automate a bad process, you will just end up with a bad process which runs quicker! This helps users avoid mistakes and helps ensure computers are using the same reliable and secure methods of data transfer and processing, no matter what.
About the author
Chris Jenkins is an experienced EMEA based Chief Technologist who provides a broad range of technical and and non-technical skills to enterprise customers.
More like this
Browse by channel
Automation
The latest on IT automation for tech, teams, and environments
Artificial intelligence
Updates on the platforms that free customers to run AI workloads anywhere
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
The latest on how we reduce risks across environments and technologies
Edge computing
Updates on the platforms that simplify operations at the edge
Infrastructure
The latest on the world’s leading enterprise Linux platform
Applications
Inside our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Customer support
- Developer resources
- Find a partner
- Red Hat Ecosystem Catalog
- Red Hat value calculator
- Documentation
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit