InfoSec Opinion Column #2 (January 31, 2025)

Consider it the Axios of what matters in cybersecurity. Or the Hacker News comments section, depending on the day. All hand-curated, no AI involved.

(Note: InfoSec Opinion Column will be published roughly once per week. All other content will be published roughly once per month. I've broken out InfoSec Opinion Column into its own newsletter, so you can now choose which content you want delivered via email.)

What: Operational Professionalizing vs Proceduralizing

Why it matters: Matt Linton is a highly experienced incident response leader at Google.

tl;dr:

• "As a Security Operations team grows and matures, repeatable outcomes and standards become increasingly important over time."
• "A professional team that is held to documented standards has less uncertainty and knows what they must do to meet them. A professional team has a mission and can consistently deliver it to their organization."
• "Proceduralizing is how I refer to the outcome of an uncontrolled effort, over time, to address operational quality with an increasing number of procedures to follow. [...] Over time this can cause the responders to feel demotivated by the apparent lack of trust in their expertise."
• "The expectation to ‘always consult the playbook’ is frustratingly easy to become ‘only follow the playbook’"

Matt's view: I'll admit to having been guilty of occasionally over-proceduralizing in my teams. Linton is spot on here: it causes frustration and increases the risk that someone won't do the right thing simply because the procedure didn't account for it. Whenever possible, rigid playbooks should be delegated to automation, and humans should be given the skills and guardrails they need to confidently and creatively solve problems.