Turn away from tech: Focus on people and process

OK, the title of this article is a little misleading: we don’t really think you should turn away from tech. But we do suggest that you shift your gaze for a moment away from technology and towards the people and processes that are absolutely critical to secure your organisation. 

On the exhibition floor at Black Hat MEA 2024, we caught up with Allan Alford (CEO at Alford and Adams Consulting), and asked him what key message he’d like to share about the future of cybersecurity. 

“The future of cybersecurity is something we always have to think about in terms of the change that cybersecurity represents,” he noted. “It’s an ever-moving target. We’re always facing new technologies and techniques – the bad guys are always coming up with something different every day.”

But in spite of all of this, he said, his advice is “don’t skip the fundamentals. Don’t skip the stuff you really need to be doing every day.” 

The three fundamentals of cybersecurity are people, process, and technology. And according to Allan, we need to be careful not to focus too much on the tech – because people and processes are just (or even more) important. 

People: They’re the threat, and they’re the solution 

People – and not even malicious ones – are the top vulnerability across organisations. We know, everyone hammers this point home all the time (but that’s because it’s true…): as many as 95% of cybersecurity breaches are rooted in human error. 

So it makes perfect sense that people need to take priority over tech in your cybersecurity strategy. You can have the best, most innovative tooling in the world – but if your people don’t know how to navigate your network securely; how to report concerns efficiently; how to authenticate credentials; why they shouldn’t skip repetitive, frustrating steps in your cybersecurity process when they’re in a rush…then you’re in trouble. 

People are the foundation. Training, awareness, and impeccable communication should be central to any organisation’s security strategy, in any industry. 

Process: It’s how you keep the people consistent 

If people are the foundation then process is what stops the foundation from crumbling. It’s the screws, the bolts, the braces. 

Processes enable your people to be consistent in the way they navigate your organisation’s networks, handle potential threats or vulnerabilities, and prevent security incidents from occurring or escalating. 

A good, well-communicated (and always up-to-date) process means everyone knows what role they play in any given situation. They know exactly what to do when they encounter an authentication error, for example; or a phishing email, suspicious website, security alert requiring action, etc. When everyone knows what their part is and how to execute it, your organisation is better able to respond to threats quickly and effectively. 

Processes should be audited regularly to make sure they stay well in line with the overall cybersecurity strategy, and to identify gaps or potential improvements. Never skip over these audits – because when processes fall behind, your organisation is at risk. 

Tech is layered on top  

With solid foundations (people and processes) you can layer technology over the top. Security tech can’t work effectively if the people in your organisation aren’t also working effectively; but when they are, technology shields your data from intruders and alerts you and your team to any potential problems. 

Keep your tech up-to-date, keep investing, keep strengthening configurations (not relying on defaults) for maximum security. 

But even organisations that don’t have the budget to invest in the latest security tooling can develop a robust security posture. Because, as Allan put it: 

“People and process can win the day regardless of what the changes in technology might be.” 

Join us at Black Hat MEA 2025 to share your perspective and meet potential partners – and shape the future together.