Sign up to save your podcasts
Or
Share The Golden Triangle
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
The Golden Triangle
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.
Links:
- “What actually is “The human aspect of cyber security”?”: https://www.cybsafe.com/community/blog/what-is-human-aspect-of-cyber-security/
- “What is Process View of Work?”: https://asq.org/quality-resources/process-view-of-work
- Smartsheet Complete Guide to the PPT Framework: https://www.smartsheet.com/content/people-process-technology
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Announcer: Are you building cloud applications with a distributed team? Check outTeleport, an open-source identity-aware access proxy for cloud resources. Teleport provides secure access for anything running somewhere behind NAT SSH servers, Kubernetes clusters, internal web apps, and databases. Teleport gives engineers superpowers. Get access to everything via single sign-on with multi-factor authentication, list and see all SSH servers, Kubernetes clusters, or databases available to you, and get instant access to them using tools you already have. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. And best of all, Teleport doesn’t get in the way. Download Teleport at goteleport.com. That’s goteleport.com.
Jesse: Last week, I had laid the foundation for a core philosophy driving how I evaluate everything, especially in security. I try to always know the why: why something exists, why someone does a thing, or why an organization has a policy or a program. Now, let’s talk about defining the framework of your defensive security program. The sexy and exciting world of offensive security—red teams, penetration testing, hacking, or cracking—gets most of the attention when non-security people think about our work. The popularization of the hacker type in media and entertainment fuels many of these misconceptions, but the reality is that defensive security is far more important than offensive security.
If you see defensive security depicted in the media at all, the person doing it is generally portrayed as inept. In fact, the opposite is true. Those of us in defensive security solve incredibly complex problems, often with insufficient resources and tools. For the record, I know your work defending systems is far more challenging, rewarding, and complicated than non-security people realize. I know defending systems can be confusing if that’s not your full-time job.
I also know that there is solid science underlying our work. Understanding that science will increase your success when implementing your security program. This week, we’re discussing People, Process, and Technology, often called the “Golden Triangle.” This foundational framework applies to all successful security programs, even if the security program was not originally designed or written using this framework. The Golden Triangle is your how, or the principles of your security program.
Unfortunately, too many people see defensive security as boring, and the people who implement it as buttoned-up indentured servants to corporate or government overlords. There’s far more science than art in our work versus the enticing cool factor of breaking into systems to steal away the crown jewels.
Golden Triangle: People, Process, and Technology, or PPT. Many of you may have heard of the People, Process, and Technology paradigm, but most of you won’t know what people mean by it. The reason PPT matters and is successful is because it’s a business process model. In other words, it’s a proven framework for building a successful and functional organization. The use of PPT in security was first popularized by Bruce Schneier in 1999.
He references having used the model in a blog post in 2013, but I failed to find the original article. Since his first mention of it, the idea has taken root and is now part of the general toolkit and lexicon of security practitioners everywhere. PPT is wholly applicable to IT of course, although it’s less popular in IT circles. Let’s break it down.
People. The first of the triad—people—refers obviously to humans. This is the human impact on security. This certainly includes your security professionals and management, yet this also can include general employees or contractors of your organization depending on the scope of your security program. Security personnel are critical to the success of a security program from the CSO all the way down to individual contributors: the security analysts.
Without the right people designing, implementing, and supporting your security initiative, your program is doomed to fail. You need to know that the people performing tasks and using tools are skilled in the right area so that you can be successful. You must populate your security teams with people well-versed in the business and technologies being protected and monitored, or if you cannot do that, you must provide basic resources and training to provide them with adequate knowledge to do the job. For example, you may be tempted to only hire generalist who know a little bit about everything without any depth of knowledge. But to build the most successful program, your people need domain knowledge.
If you are protecting Windows systems and networks, you need to hire Windows experts and network engineers, or you need to bring your existing staff up to speed on these topics. To go a bit deeper into the people concepts, checkout CybSafe’s article, “What actually is “The human aspect of cyber security”?” Note this is not an endorsement for or against CybSafe, the company, its people, or its services. I don’t know enough about them to comment either way. However, it was a very good article.
Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look atLacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the Cloud: low effort, high visibility and detection. To learn more, visitlacework.com. That’s
View all episodes
By Jesse Trucks
3.7
33 ratings
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.
Links:
- “What actually is “The human aspect of cyber security”?”: https://www.cybsafe.com/community/blog/what-is-human-aspect-of-cyber-security/
- “What is Process View of Work?”: https://asq.org/quality-resources/process-view-of-work
- Smartsheet Complete Guide to the PPT Framework: https://www.smartsheet.com/content/people-process-technology
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Announcer: Are you building cloud applications with a distributed team? Check outTeleport, an open-source identity-aware access proxy for cloud resources. Teleport provides secure access for anything running somewhere behind NAT SSH servers, Kubernetes clusters, internal web apps, and databases. Teleport gives engineers superpowers. Get access to everything via single sign-on with multi-factor authentication, list and see all SSH servers, Kubernetes clusters, or databases available to you, and get instant access to them using tools you already have. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. And best of all, Teleport doesn’t get in the way. Download Teleport at goteleport.com. That’s goteleport.com.
Jesse: Last week, I had laid the foundation for a core philosophy driving how I evaluate everything, especially in security. I try to always know the why: why something exists, why someone does a thing, or why an organization has a policy or a program. Now, let’s talk about defining the framework of your defensive security program. The sexy and exciting world of offensive security—red teams, penetration testing, hacking, or cracking—gets most of the attention when non-security people think about our work. The popularization of the hacker type in media and entertainment fuels many of these misconceptions, but the reality is that defensive security is far more important than offensive security.
If you see defensive security depicted in the media at all, the person doing it is generally portrayed as inept. In fact, the opposite is true. Those of us in defensive security solve incredibly complex problems, often with insufficient resources and tools. For the record, I know your work defending systems is far more challenging, rewarding, and complicated than non-security people realize. I know defending systems can be confusing if that’s not your full-time job.
I also know that there is solid science underlying our work. Understanding that science will increase your success when implementing your security program. This week, we’re discussing People, Process, and Technology, often called the “Golden Triangle.” This foundational framework applies to all successful security programs, even if the security program was not originally designed or written using this framework. The Golden Triangle is your how, or the principles of your security program.
Unfortunately, too many people see defensive security as boring, and the people who implement it as buttoned-up indentured servants to corporate or government overlords. There’s far more science than art in our work versus the enticing cool factor of breaking into systems to steal away the crown jewels.
Golden Triangle: People, Process, and Technology, or PPT. Many of you may have heard of the People, Process, and Technology paradigm, but most of you won’t know what people mean by it. The reason PPT matters and is successful is because it’s a business process model. In other words, it’s a proven framework for building a successful and functional organization. The use of PPT in security was first popularized by Bruce Schneier in 1999.
He references having used the model in a blog post in 2013, but I failed to find the original article. Since his first mention of it, the idea has taken root and is now part of the general toolkit and lexicon of security practitioners everywhere. PPT is wholly applicable to IT of course, although it’s less popular in IT circles. Let’s break it down.
People. The first of the triad—people—refers obviously to humans. This is the human impact on security. This certainly includes your security professionals and management, yet this also can include general employees or contractors of your organization depending on the scope of your security program. Security personnel are critical to the success of a security program from the CSO all the way down to individual contributors: the security analysts.
Without the right people designing, implementing, and supporting your security initiative, your program is doomed to fail. You need to know that the people performing tasks and using tools are skilled in the right area so that you can be successful. You must populate your security teams with people well-versed in the business and technologies being protected and monitored, or if you cannot do that, you must provide basic resources and training to provide them with adequate knowledge to do the job. For example, you may be tempted to only hire generalist who know a little bit about everything without any depth of knowledge. But to build the most successful program, your people need domain knowledge.
If you are protecting Windows systems and networks, you need to hire Windows experts and network engineers, or you need to bring your existing staff up to speed on these topics. To go a bit deeper into the people concepts, checkout CybSafe’s article, “What actually is “The human aspect of cyber security”?” Note this is not an endorsement for or against CybSafe, the company, its people, or its services. I don’t know enough about them to comment either way. However, it was a very good article.
Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look atLacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the Cloud: low effort, high visibility and detection. To learn more, visitlacework.com. That’s