While being “classic” and “timeless” may work in other industries, InfoSec must constantly guard against resting on laurels when it comes to strategies and solutions. While the People, Process, Technology (PPT) framework popularized by Bruce Schneier in the early 2000's has served us well, it is often questioned. Some claim the concept of putting People at the top no longer works, while others say the framework needs to be reworked entirely.
The idea behind the PPT framework is that a proper balance of people, processes and technology will efficiently drive action and improvement. While it has frequently been stated that a four-element diamond model would serve modern organizations better, the Golden Triangle continues to thrive.
There is a good reason for this: the model is flexible, and about balance. The framework is most commonly visualized as a triangle, with People at the top. This made sense in the early days, but as technology changes, so should the way we think about this concept.
While some industries may still think of this framework in a traditional way, cyber protection relies more heavily on processes and technology. This means rebalancing the framework.
The human element is still as important as ever. Processes have continually been improved upon as the industry has grown, and the available technology has taken off in recent decades. A modern framework is better visualized as a Venn diagram, but you can still see the existence of the triangle.
Machine learning (ML) and artificial intelligence (AI) may have taken over many tasks previously performed by people, but without human intervention, these technologies quickly become ineffective. Humans still need to review new threats, input data and data sources into SIEMs and other systems, adjust AI/ML training models, and improve processes and technologies.
As cybercrime tactics improve, processes adjust to improve response to attacks. Incident response plans must account for an increasing number of possible scenarios. Processes are regularly reworked. The reality is that the human touch is still required but is shifted to different tasks, including the ongoing review of processes.
The most rapidly growing element is technology. For many organizations, technology is improving and growing at unmanageable rates, but relying on technology is becoming increasingly important in daily workflows. In today's world, a significant portion of the workload is not seen by human eyes but is processed by the computers and applications used to ensure efficiency. Despite this dependence on technology, we need the people to ensure the technology is working as intended and adjust when it is not. A machine learning algorithm does not have the intuition needed to determine something is wrong with the data it puts out. If the data fits within the training model, the ML will continue outputting data that may not be relevant.
The way we implement PPT in a cyber protection setting is by a merging of data-fed technology, working within data-defined processes, and monitored by humans with the expertise to adjust the processes and technology. If any element is ignored, the system starts to break down and fall apart.
The debate about the People, Process, Technology framework may continue, but there is value in the concept. Ultimately, each organization needs to review these three elements to determine the proper balance. Keep that balance tuned, and never forget that if you stay in the intersection of these three elements, it doesn't matter how each grows or shrinks over time.
Topher Tebow, Acronis Cyber Security Analyst