Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

The four P's of information security success

Although information security success relies on all parts of the four P's -- people, policy, process and product -- there is one that may really drive the profession.

Security maven Bruce Schneier is famous for saying, "Security is not a product; it's a process." He's correct, but only partially.

Security is about four "P's": People, Policy, Process and Product. Doesn't matter if you plop down $300,000 for the world's best firewall; it's just another bump on the wire without a governing security policy and fully cooked process for configuration and administration.

Each security professional must address all four P's, though not in equal parts. CISOs spend a lot more time on people and policy issues, while security admins focus on process and product.

If you had to pick, which "P" would you say is most instrumental to security? You might argue for policy; perhaps you'd say product.

It's neither. People are what make or break your security program at each layer of your organization. For security to succeed, executive management must drive a culture of individual security accountability. For security to succeed, infosecurity managers must counsel their higher-ups and guide smart policy decisions on security infrastructure and operations. For security to succeed, front-line admins must religiously scan, log, audit, patch, configure and update systems and networks. Failure of any of these parts undermines security as a whole.

Even if you're executing on all these levels, people are the weakest link. Look what happened with Sobig.F. All it took was a few unsuspecting users with itchy trigger fingers and, voilà, we've got a worm epidemic on our hands.

People Skills

This issue of Information Security is largely devoted to the people part of the infosecurity challenge. Our coverage includes a CISO Strategies section on institutionalizing a security culture, featuring a roundtable of security executives from American Electric Power, Xerox and Electronic Warfare Associates. But I want to draw special attention to our cover story on "Women of Vision," a profile of women professionals who, individually and collectively, are shaping the future of infosecurity.

It's precisely because of the four P's that women excel in IT security. In most technically oriented disciplines -- networking, data support, application development -- the emphasis is firmly on process and product. The knowledgebase and workload is all about bits 'n bytes and speeds 'n feeds. Historically and culturally, these are "hard skill" activities largely executed by men. These disciplines place a premium on "male"-oriented skills: analysis, decisiveness, binary "if-then" decision making.

If you had to pick, which 'P' would you say is most instrumental to security? You might argue for policy; perhaps you'd say product. It's neither.

It's not that security doesn't also require hard-wired technical skills. Just ask anyone charged with rolling out a PKI. But the effective security professional must also possess so-called "soft" skills. Communication. Negotiation. Diplomacy. In short, people skills. While I'm loath to make broad generalizations, women are historically more adept at these skills.

Our special report honors 25 women who, through years of dedication and leadership, have vaulted to the top ranks of the infosecurity profession. These individuals are among the growing ranks of women who continue to define and refine "how security gets done" on all levels of the industry, from executive leadership in Fortune 500 corporations to academic research and standards development to government leadership to vendor innovation.

Security is a process, after all. But it's a process driven by people. Through their collective vision, these women are helping define security's place in the global marketplace. In the process, they're helping to transform security from a technical sub-discipline to a full-fledged profession.

About the author:
Andrew Briney, CISSP, is editor-in-chief of Information Security.

This was last published in September 2003

Dig Deeper on Information security certifications, training and jobs