Information technology (IT) infrastructures are complex, dynamic systems, especially in larger organizations, and managing the security of these infrastructures is hard work. Process security cultures tend to believe the best way to tackle cyber security is to centralize and regiment the protection of IT systems as much as possible. People in this culture see their biggest risks coming from a lack of standards, lack of visibility, and lack of control within enterprise IT. This is particularly true for firms already operating in highly structured, hierarchical operational environments. As enterprise networks become more distributed, challenges such as shadow IT, Bring Your Own Device, and deperimeterization are increasing both demand and difficulties for Process security cultures.
What Is a Process Security Culture?
Process security cultures emphasize stability and tight control of security operations and activities, with an emphasis on internal organizational structure and bureaucracy in the form of formal processes, policies, and standards. These organizations score heavily in the top left quadrant of the Competing Security Cultures Framework model.
If your organization has a Process security culture, you are probably used to a lot of rules regarding what you must, can, and cannot do in terms of your IT systems. Security is likely to be somewhat or completely centralized, with the authority to define and enforce policies and standards. You may have to implement rigorous hardening standards on anything that goes into the network, or you may be limited in the number and type of systems you can purchase or use. Process cultures worry about losing control and visibility, which increases the likelihood of an unpleasant surprise, and so want to be involved in approving anything that might impact the security of the enterprise.
In a Process security culture, a lot of operational effort is put into defining and documenting how things are supposed to work. Policies, guidelines, checklists, and frameworks may proliferate around different technologies, activities, and functions. In this culture, you often also find rigid division of labor and authority chains for security decision making. The organizational chart may not always be deeply hierarchical, but there usually will be defined boundaries between what different groups own and where they need to get approval from others. Process cultures, as an outcome of their regimented operations, also tend to collect extensive data about internal security activities, even if they don’t always use them.
Core Values, Strengths, and Weaknesses of Process Security Cultures
Process security cultures tend to value stability through policy enforcement, built around mechanisms for the managed coordination of cyber security operations. The security team’s primary jobs are to keep things running smoothly, avoid surprises, and make sure everyone is playing by the same rules.
Process security cultures tend to be good at making security systematic, which can be a major strength. When everyone understands their roles and responsibilities for information security, it makes for more effective internal coordination across the enterprise. For industry sectors that already depend on highly standardized operations, similar control of IT security can make good business sense. Finally, Process cultures may encourage monitoring and measurement within the security environment, contributing to better enterprise self-awareness.
Weaknesses of a Process security culture usually result from loss of agility and innovation, as rigid processes and hierarchies introduce inefficiencies and “status quo” thinking. Attempts to standardize security controls and requirements across the enterprise can turn into one-size-fits-all mandates that constrain responses to unique business needs. And highly bureaucratic organizations may find themselves growing bloated and brittle, as discipline and self-awareness gives way to politics and inertia, perpetuating existing habits and structures rather than promoting change and creative disruption.
Where Do You Find Process Cultures?
Process security cultures are common among security program teams themselves, even in organizations that are not process-centric elsewhere. In industries where bureaucracy and regimentation are already key cultural traits, a Process security culture is even more likely to thrive and expand.
Government – A prime example of bureaucratic institutions, government agencies often extend their process-centric corporate cultures to the management of cyber security. From employment to purchasing to reporting, government information security programs are likely to have mapped out extensive requirements that must be coordinated around people, process, and technology. The upside of such Process security cultures is a remarkably stable environment capable of functioning effectively over decades, but often at the price of speed and cutting-edge capabilities.
Military and Defense – Unlike governments typically, military and defense organizations can be incredibly cutting edge, but they also rely heavily on Process cultures, both for information security and more generally. You find in such enterprises that rigid chains of command (both military and civilian) and modular standards that can be quickly applied over time and distance for tactics, logistics, and weapons systems all contribute to a goal of mission accomplishment. Whether it’s the contractor building a new ship, tank, or communication system, or the military that then deploys and depends on it, military and defense entities live (sometimes literally) by their processes and standards.
Banking and Finance – Financial organizations must plug seamlessly into a global, interoperable economic system that has grown ever more dependent on networks and information technology. The result is a culture of interlocking standards for information flows and processing that demands conformity and commitment to shared rules and values. When combined with a business model centered around investment, trade, and profit, the desire for visibility and stability inside a firm is a key strategic concern. Financial institutions are also built to last, and some banks are centuries old. Stable, repeatable cultures enable values to be passed between organizational “generations,” both for business and increasingly for technology and security priorities.