When I served on a panel about data breaches at the ISACA Silicon Valley chapter conference recently, the moderator asked, “To prevent data breaches, which is more important: process, technology or people?”
My fellow panelists (three CISOs and two highly experienced consultants) all answered ahead of me: “People.” I was surprised. Here I was the only awareness specialist on the panel, yet my answer was process.
Without process, I explained, the people don’t know what to do. Without process, there is no right way to implement technology. Process is implemented through governance. As I discuss in Advanced Persistent Security, without governance your security program is an accident.