This is the second in a series of three blog posts focusing on Critical National Infrastructure (CNI) cybersecurity. This blog looks at the problem space through the lens of "People and Processes."
- Enterprise security challenges for CNI organizations: Overview
- Enterprise security challenges for CNI organizations: People and processes
- Enterprise security challenges for CNI organizations: Technical solutions
As mentioned in the previous blog post, CNI cybersecurity is not just a technical problem—technology and tools can be enablers to help reduce risk, but you should also identify the "people and processes" required to put good security practices in place.
"If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology." - Bruce Schneier
For those of you aware of the Open Systems Interconnection (OSI) model, you can see people as "Layer 8." To take the analogy further, you could say that organizational processes, governance and policies are "Layer 9." People are needed to put all the relevant pieces together correctly to reach the desired state of security.

People
Imagine buying a bookshelf from a certain Nordic flat-pack retail company. You have all the relevant parts and documentation to create the bookshelf, but you don't have the actual skills to piece them all together. If you continue without the appropriate skills, you may end up with a bookshelf that isn't fit for the purpose or, even worse, could actually be dangerous. This scenario could cause a catastrophic event within CNI organizations. Therefore, enabling Layer 8 security is paramount to enhancing the security posture of all CNI platforms. IT engineers and administrators must understand how to build, configure and integrate the various products to reach an agreed end state using repeatable and compliant methodologies.
Several security-related phrases bear this out, such as "security is everybody's concern," "security is a process, not a product" and "security is key to your business success." You can create a "security by design" culture and embed security processes earlier into the platform design and architecture phases by having trained and security-aware staff across the whole CNI organization.
There are many cybersecurity training areas that could be beneficial for CNI organizations. These include:
- CNI threat intelligence techniques
- Cloud security processes
- Data protection
- Data sovereignty
- Social engineering
Making this behavioral and cultural shift to a DevSecOps-focused mindset doesn't happen overnight. It takes perseverance and a willingness to change. CNI organizations need to fully understand all security and safety aspects before making any major changes. This understanding should come from a bottom-up and a top-down approach. Engineers and developers must embrace security via osmosis as part of a cross-functional team or through official training (either internal or external). Senior managers and CISOs should articulate the security requirements and risk management strategies across the organization so that every staff member understands why they need to build in security by default.

Processes
Security processes are designed as a series of steps to be followed as a consistent and repetitive approach or cycle to accomplish better security within organizations. For CNI organizations, stability and resilience are critical to drive continuous operations. Processes should be certified, repeatable and automated where possible.
In addition to individual internal processes, CNI organizations have requirements and governance policies laid down by various regulatory bodies. Being able to provide attestation to these requirements means implementing many processes, some of which could benefit from being automated.
Oftentimes, security risks are borne of honest mistakes, or people making necessary compromises to make technology usable on a daily basis. If a computer doesn't help a user encrypt a file and keep it encrypted through daily use, then a file goes unencrypted. If a computer doesn't help a user manage passwords, then the same password gets used for everything. It's human nature, but it's easy for computers to perform the steps that humans don't have the time or mental energy to do themselves.
Work with your users to discover what could be made easier through automation. Find the shortcuts people have to take, whether they like it or not, to save time and energy or just to make two applications work together, and then build automation to solve those problems. This can start with the IT and DevOps teams, where automation tends to be integrated, at least to some degree, with existing workflows already.
Expand the principle out to other users from there.
Conclusion
Improving and optimizing the way your users work is important to the security of your CNI organization. The more you provide users with tools and techniques to enable best practices, the safer your organization becomes at every level.
Discovering what users need can be a challenge, and it's important to implement solutions in such a way that they improve rather than slow down work. But this is a puzzle that can be solved with careful consideration and a lot of listening to the humans involved.
Find out what you can do to improve how data is processed. When it comes to automation, don’t try to automate everything in a “big bang” approach. Identify simple tasks to be automated then take the time to optimize the tasks first. Remember, if you automate a bad process, you will just end up with a bad process which runs quicker! This helps users avoid mistakes and helps ensure computers are using the same reliable and secure methods of data transfer and processing, no matter what.
Sobre el autor
Chris Jenkins is an experienced EMEA based Chief Technologist who provides a broad range of technical and and non-technical skills to enterprise customers.
Más similar
Navegar por canal
Automatización
Las últimas novedades en la automatización de la TI para los equipos, la tecnología y los entornos
Inteligencia artificial
Descubra las actualizaciones en las plataformas que permiten a los clientes ejecutar cargas de trabajo de inteligecia artificial en cualquier lugar
Nube híbrida abierta
Vea como construimos un futuro flexible con la nube híbrida
Seguridad
Vea las últimas novedades sobre cómo reducimos los riesgos en entornos y tecnologías
Edge computing
Conozca las actualizaciones en las plataformas que simplifican las operaciones en el edge
Infraestructura
Vea las últimas novedades sobre la plataforma Linux empresarial líder en el mundo
Aplicaciones
Conozca nuestras soluciones para abordar los desafíos más complejos de las aplicaciones
Programas originales
Vea historias divertidas de creadores y líderes en tecnología empresarial
Productos
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Servicios de nube
- Ver todos los productos
Herramientas
- Training y Certificación
- Mi cuenta
- Soporte al cliente
- Recursos para desarrolladores
- Busque un partner
- Red Hat Ecosystem Catalog
- Calculador de valor Red Hat
- Documentación
Realice pruebas, compras y ventas
Comunicarse
- Comuníquese con la oficina de ventas
- Comuníquese con el servicio al cliente
- Comuníquese con Red Hat Training
- Redes sociales
Acerca de Red Hat
Somos el proveedor líder a nivel mundial de soluciones empresariales de código abierto, incluyendo Linux, cloud, contenedores y Kubernetes. Ofrecemos soluciones reforzadas, las cuales permiten que las empresas trabajen en distintas plataformas y entornos con facilidad, desde el centro de datos principal hasta el extremo de la red.
Seleccionar idioma
Red Hat legal and privacy links
- Acerca de Red Hat
- Oportunidades de empleo
- Eventos
- Sedes
- Póngase en contacto con Red Hat
- Blog de Red Hat
- Diversidad, igualdad e inclusión
- Cool Stuff Store
- Red Hat Summit