Balancing IT Security: People / Processes / Technology.

To put in place the C.I.A ( and Privacy) principles

  • Availability – Is data available for the authorized persons, within certain limits and conditions?
  • Integrity – Can you trust the data: have they been modified, added or removed?
  • Confidentiality – Restriction to access data
  • Privacy

Everyone has seen the People, Process, Technology Venn diagrams prevalent in business literature. I believe the most effective security practices involve a balance of all three categories to succeed – the process has to be sound, the technology relevant, and the people informed. Relying on any one of these categories too much will surely result in failure. No matter how locked-down a server is, if someone writes their password on a post-it note on the monitor, it is no longer secure. If there is no process in place to direct the people or the technology on the correct actions to take to be secure, it will fail.


We have to approach them in those 3 different aspect (Pillars), to be sure that no area is missed. Here I list the possible vulnerabilities for each pillar.

1) 1 People / Human


  • Ignorance of risks and threats
  • Managers not sensitized enough or little involved  in Information Systems Security Policy
  • Thoughtlessness, carelessness, neglect, passivity, irresponsibility.

To compensate or solve those vulnerabilities, we need to:

  1. Communicate and inform, with security awareness campaigns and enforce automatic controls and notifications
  2. Follow basic rules and common-sense security measures (practical and pragmatic), without rejecting them when they apply to our one business (laziness, resist to the human habits and create a culture of the information security).

2) 2    Processes / Organizational


  • Security requirements and rules are weak or undefined,
  • Unsecured operations or weak procedures.

To compensate or solve those vulnerabilities, we need to:

  1. Share, Communicate, Document, Explain
  2. Enforce controls and automation.

3) 3    Technology / Technical


  • Design weaknesses: identify software security requirements early
  • Security Exploit: bug or misconfiguration on a system which can be used by an Intruder to gain unauthorized access.

To compensate or solve those vulnerabilities, we need to:

  1. Include security ( CIA and Privacy) in all the projects, from the minor one to the most strategic one
  2. Audit, review the old projects and implementation
  3. Implement tools to prevent malwares and exploits
  4. Enforce the change management procedure
  5. Reduce human dependency, not letting a single man with the critical knowledge.

In fact, communication is everywhere. This is one of the most important criteria to focus on.

Be the first to comment

Leave a Reply

Your email address will not be published.