on the limitations of PPT

Building blocks of security are people, processes and technology ("PPT").

These days we rely more on technology than we used to.

Also, the amount of these ingredients will vary between organisations. Think of a highly regulated large entity, such as a bank, heavy in processes. Then think of a smaller company in another industry where no one ever talks about processes.

Why do some organisations seem to be doing well without adhering to this PPT scheme? What additional factor could help explain this?


the human element

Upholding security involves different levels in an organisation. This is reflected in the three courses I'm teaching - Strategic, Operational and Technical Infosec (see "my events" above).

But one factor is clearly missing on this "headline" level: people!

Strategies are devised by humans. Operational processes are designed by and populated with humans. And - without humans, technology won't help.

How can we approach the "human element" of Information Security? Trust and motivation will be key factors.