Certain cybersecurity practitioners insist to impose technical controls to secure the infrastructure/system. To some degrees yes, basic technical controls will prohibit human error or low skill attacks.
Adding technical controls will never secure the infrastructure/system more. At some points, more controls will even degrade the security due to a number of issues:
- People will find ways to circumvent controls because affecting productivity (writing down complex password)
- New control might introduce new system weakness
- Extra efforts are required to sustain the control effectiveness (upgrade, backup, other housekeeping tasks: patch, patch, patch …)
These are always the neglected elements. Sometimes, exercise administrative control will enforce discipline internally while externally relying laws & regulations.