Building blocks of security are people, processes and technology ("PPT").
These days we rely more on technology than we used to.
Also, the amount of these ingredients will vary between organisations. Think of a highly regulated large entity, such as a bank, heavy in processes. Then think of a smaller company in another industry where no one ever talks about processes.
Why do some organisations seem to be doing well without adhering to this PPT scheme? What additional factor could help explain this?