Marcus Lemonis, the CEO of Camping World and Good Sam Enterprises, and the star of the CNBC reality show, The Profit, has no doubt proven to most of us that his three P’s mantra of People, Process, and Product are key components for running a successful business. On The Profit, Marcus stresses, that for a business to be successful it has to have at least two of the three P’s going for it, and interestingly enough, he strongly stresses that People are the most important.
I am not going to go into great detail about Marcus or his three P’s since there is so much information out there already on the subject, but instead relate these three P’s to cyber security operations. My initial hypothesis is that what makes a successful business is not much different than what makes a successful cyber security operation when we look at the core components.
It should really go without saying that the attitudes, skills, and knowledge of the workforce are crucial to the success of any operation. This holds true in both business and cyber security operations. If you have the right people in the right positions success will likely follow, just as if you have the wrong people in wrong positions failure will likely occur.
There is more to staffing the right people than filling positions with candidates that possess a set of credentials, educational background, experience, or a particular attitude. Each position in an operation requires the right balance of all these areas, but it doesn’t mean you have to find that one rock star candidate that possesses the perfect balance of these areas from the get go. Sure it would be nice to find that diamond in the rough, but let’s be realistic, that doesn’t happen often enough for most of us.
This is why the first P is “People” and not person. It is a collective group of individuals that complement one another in cohesion or in more simple terms, a team. The best teams ensure the required skills and knowledge are distributed among multiple individuals with little efficiency loss. This is why attitude is just as crucial as skills and knowledge.
In business, process begins with the conception stage of a product or service development, and then provides the means to charter the business through the execution of delivering this product or service. A great example of this is a business plan.
It is not much different in cyber security operations, in that, a security plan or security operations plan is much like a business plan. It defines the service and provides guidance as to how an organization will execute the delivery of that service. Of course there is more to it than just that, as the uniqueness and details including supporting and sub-processes will vary depending on multiple factors such as the industry we are operating in and the laws, regulations, and standards we must meet to operate within that industry.
A product is both what is produced and the supporting tools and technologies used to deliver that product. Don’t become hung up by the idea that a product must be an object, as product in many cases is a service. In business, the most important feature of a product is whether or not it is an excellent product that is relevant. A product that is produced with the highest of standards but is irrelevant is just as likely to fail as an extremely relevant product that is produced in a subpar manner.
Once you develop a successful product it is done. What I mean by this is once you have a successful product you don’t change the product, you tweak the people and processes involved with the product to make it better. Of course you can add new elements to the product or even revamp it, but it is still the same successful product and not a new product.
People, Process, and Product
I believe order does matter and that the most important P is in fact people. It all starts with people, as people are the gatekeepers of the knowledge, skills, and attitude required to create effective processes and great products. Processes intertwine people and product, so no piece can be absent in the mantra to be successful.
With all of this in mind, would you agree that focusing on the three P’s would be as beneficial to cyber security operations as it has proven to be for business?