Sometimes as security professionals we often get distracted by the technology and forget to focus on the people and process elements that are also the foundations for a strong information security management system. I discuss this topic in more detail on my “All That Glitters is Not Gold” post over on Information Security’s Knowledge Bank.
On Twitter Mark Hillick, @markofu, and I discussed the topic further with Mark pointing out that lack of focus on staff and too much focus on processes can be equally as damaging. This is very true and we need to ensure a proper balance amongst the People, Process and Technology triumpharant is maintained. Overly cumbersome policies and procedures will simply be bypassed while managerial controls that are too lax can lead to issues around the quality of the information security program.
Remember that a solid risk assessment should identify all the controls, be they people, process or technology based, that you need to implement. Anyway, head over to the post and let me know whether you think we as an industry are too easily distracted from the basics of good security by shiny new technical toys.