Quality Security: People, Process, and Products

Blog Post created by mjc on Feb 28, 2012


Here at Rapid7 we have tons of talented people across the board, sometimes it's scary. One of the people who I've interacted with a lot is Jennifer Benson, our VP of Customer Experience. Through Jen I have found that three tenants of People, Process, and Products (the 3Ps) are very handy when it comes down to delivering just about anything. We use the 3Ps here at Rapid7 to deliver quality customer experiences. Jen is very smart and she breaks many things down by using the 3Ps. There is a reason why, IT WORKS!


Although many organizations tend to rely just one or two of the 3P tenants, all three with a balanced approach are required to build a quality security program. For example some large organizations attempt to spend their way to security utopia, without building the proper processes or training their people. Some will train their people with awesome security training, but many of the products that they train on aren't available in their organization. Some organization simply don't have the correct processes in place to leverage the personnel and product investment.


I drew up the image to the right to illustrate that when you mix the 3Ps together the outcome is beautiful. This isn't exactly how the 3Ps are used in quality management, but it fits like a glove.


surviving_security.pngI thought to myself after coming to the personal revelation, "I wonder has anyone else thought about the topic in this way". Google was very kind to point me to the following book:


Surviving Security: How to Integrate People, Process, and Technology by Amanda Andress http://r-7.co/zIWApk


Surviving Security was written by Amanda Andress and published back in 2003. I have to say from a people and process stand point the book is awesome and worth a read. Unforturnately the technology mentioned in the book is outdated, but the people and process part is very relevant today. I wish Amanda could update the book as a stand alone version without the technical depth so the content would be non-perishable.


It is still worth a read for passages like this from page 5 of the book:



Security is not a single solution. Security is a pervasive, ongoing process of reviewing and revising based on changes to the business and corporate environment. It is the culmination of interaction between people, process, and technology. Schneier suggests this mantra: "Security is a process, not a product." This statement reflects how every company should approach security. Security products are only one piece of the puzzle, and implemening those products is not a one-step process. As the corporate environment changes, these products should be analyzed and reconfigured.