Certain cybersecurity practitioners insist to impose technical controls to secure the infrastructure/system. To some degrees yes, basic technical controls will prohibit human error or low skill attacks.

Adding technical controls will never secure the infrastructure/system more. At some points, more controls will even degrade the security due to a number of issues:

  • People will find ways to circumvent controls because affecting productivity (writing down complex password)
  • New control might introduce new system weakness
  • Extra efforts are required to sustain the control effectiveness (upgrade, backup, other housekeeping tasks: patch, patch, patch …)

These are always the neglected elements. Sometimes, exercise administrative control will enforce discipline internally while externally relying laws & regulations.

Leave a Reply