In 1999, security professionalBruce Schneier popularized (but contrary to popular belief did not invent) the concept of "People, Process, Technology."Like the CIA triad, the PPT triad is a critical concept in information security (and technology management in general).The idea is that all the firewalls, IDSs, virus scanners, proxy servers, etc. (technology) in the world don't amount to a hill of beans if you don't use them right (process) and have the right team using them (people).A common issue I've seen in practice is that businesses will take a "check the box" approach to security where they invest in specifictechnology to meet compliance obligationswithout having the right people or processes in place to take advantage of the technology and truly secure the system.As a result, costly high-end IDS devices are installed but don't send the alerts to anyone and aren't tuned to eliminate false positives or updated to ensure that they are detecting the latest threats.This is sort of a chicken and egg problem.

Discuss how you would prioritize eachelement of"People, Process, Technology".Which is mostimportant?How would you split your scarce IT security dollars among them?What limitations might you run into?Can you think of any creative ways to purchase/hire/acquire these elements for use in your business?