Get a demo

How to Optimize Security Governance by Leveraging Efficient Processes

5 ways that leveraging efficient processes in IT organizations will maximize existing security resources and investments

Frances Fedoriska | April 4, 2024

decorative image of spy hat overseeing security governance program

“You want to know how resilient you are. You want to know what kind of choices you have. You want to know [the right answer] in certain situations. Processes give you the data to make those decisions better. You're not relying on gut, you’re relying on data.”

-Bruce Schneier, Gutsy Advisor

A priority for most IT organizations is getting more out of what resources they already have. We spoke with renowned cryptographer and Gutsy Advisor Bruce Schneier about security governance optimization benefits. Specifically, for a deeper understanding of how a process-centric view and knowledge of security processes as data helps optimize existing security investments and resources.

"You want to know how resilient you are ... processes give you the data to make those decisions. You're not relying on gut, you're relying on data."

5 Key Takeaways:

  • Enhance efficiency: Implementing process-centric approaches helps you achieve your business objectives faster and reduces costs over time by maximizing existing IT investments.
  • Data-Driven Decision Making: Visibility and understanding into your processes provide relevant data for assessing resilience, making informed choices, and improving decision-making for security leaders. Choices can be made on data that shows what needs to be done to improve security posture.
  • Continuous Improvement: Regularly evaluating and refining processes against measured benchmarks from within your security systems allows you to adapt to evolving threats and challenges with little-to-no disruption to daily security activities.
  • Automation in Audits: Automating data collection and analysis in audits leads to more efficient use of time and resources, enabling you to focus on high-value tasks.
  • Process-Centric Approach Value: Investing upfront in well-defined processes leads to long-term cost savings through operational efficiency and reduced risk of costly breaches.It also builds the foundation for your organization to have a structured framework for decision-making.

Related Resources:

1) [Article] When Investing in Security Processes is a Solid Governance Strategy

2) [Article/Video] What is Process Mining?

3) [Article/Video] Redefining Security Governance with Process Mining

4) [ebook] Process Mining: The Security Angle

The full transcript:

John:

A priority for a lot of IT organizations now is trying to get more out of what they already have, doing more with less, running more efficiently and so forth.

Talk about the utility of a process-centric view of things and understanding of processes and data as a way to get more out of your existing security investments and teams.

Bruce:

Process is how to do repeatability more easily. If you don't have a process, everything's a one-off. And again, it's going to be whether you invest up front in the process to make every time you do it cheaper or you don't have a process, every time you do is more expensive.

It's always going be a balance between what does it cost to create the process, and the cost and frequency of the incidents.

Now what we know about IT is most of the time you are way better off putting a process in place and then letting the things happen according to process - than you are letting everything be a one-off.

John:

Another area that I've heard customers talk about a lot is the amount of time that they spend on audits, and more so the time each spends doing low or sort of no value add activities and audits like gathering data, correlating data somehow.

Bruce:

I mean, the hope is that there's an audit process:

  • Data collection
  • Data aggregation
  • Data analysis

It becomes part of the process, that it just happens automatically.

What you want is to push a button and you get the report you need, because you need the same damn report every year, every quarter, every month, whatever it is. And let's just build a process to get it.

The more you can automate that process, the more it just happens. And that gives you a lot of benefits. You can like run the process when you’re halfway through the quarter and see ‘how am I going to do?’

You can project forward, you can make a change and then run the hypothetical, ‘how does it change?’

You know, once you have that process, you now can use it in ways you might not be able to if you're doing it manually.

Process gives you the ability to do all of these:

  • ‘What ifs’
  • ‘How we're doing’
  • ‘How did we do last year’
  • 'How do we compare?’

Things you couldn't do otherwise because it was costly to do those one offs again and again.

You want to know how resilient you are.

You want to know what kind of choices you have.

You want to know what the right answer [is in certain situations.] And the processes give you the data to make those decisions better.

You're not relying on gut, you’re relying on data.