Security technology alone cannot reassure protection. It requires human judgment:
- What is the value of target being protected? Risks to low value asset or low business impact are simply accepted as part of the operating cost. Example is the anti-theft RFiD tags.
- How is the controls deployed? Is the control in place properly? Gap in control will leave a loop-hole.
- Most importantly, how is the control operated and sustained to maintain its effectiveness? Adding controls does not increase security sometimes but incur unnecessary overheads or activities that overkill the purpose.
A comprehensive assessment from design, build, deploy, regular validation is required through out the life cycle of the deployed cybersecurity protection.