People+Processes+Technology

I cannot resist on recording the following quote from Protect Your Windows Network : From Perimeter to Data by Jesper M. Johansson, Steve Riley.

"You get only so much security if you concentrate solely on the technology; the people and the processes are equally important. Indeed, without thought in those two areas, most of the technology you deploy to protect information systems will fail to do what you intend - it will only give you a false sense of security, which in fact can be more dangerous than no security at all."

I cannot agree more on their comments on the people and the process factors. Without a good process, you won't have "secure enough" network. The enforcement of a security process will always bring inconvenience to people. You always expect the resistances from the people. Without the adoption of the people, a process is just a useless paper. So you need to educate people before introducing a process. Whence the people have more knowledge on security, they tend to adopt the process more easily and have less resistances.

On the other side, introducing a security process should be VERY GRACEFULLY. A security process should bring minimal inconvenience to people. That will make people to adopt processes more easily. If there is a conflict between a big inconvenience to people and less secure, I'd like to trade off security with inconvenience and let security admin to focus more on the less secure part.