Over the past few decades as a security practitioner, I have witnessed security fails and I have attributed three common defining elements.
1. Priority of security within an organization
Effective security requires not only insight into the entirety of the organization but also its integration. Security goals must be linked to business goals. Risk-based security direction rather than checklist compliance is another strong indicator as to the placement and priority of security within an organization.
2. Human error
People in your organization will comply with policies and will use technology correctly at all times is unlikely.
Defined as human error, security fails when technology is not used as intended and/or policies are misunderstood, forgotten, or ignored. Implementing capabilities to mitigate potential human error is key to an organization’s security posture.
3. Technological solutions
Security is about process and technology should be an enabler to process.
No software or hardware solution is going to serve as a silver bullet, and often the money spent on technology is disproportionate to the results that can realistically be expected. Perform a comprehensive needs analysis and technology bake-off against those needs. Technology investments based on needs and realistic security goals will provide a return on investment.
Hard to resist this well-known adage “Security is only as strong as its weakest link”