Process is a critical component of any successful security program. It is integrated into the organization to support policy and, by extension, the program charter. Process guides the use of technology but is not a servant to it. This distinction is important because, too often, processes are designed purely to operate technology rather than produce the outcome that supports the organization’s objectives. The result is a series of ad-hoc revisions to processes once they are implemented.