"Security is a process, not a product." (Bruce Schneier).
Without an (IT) security policy, there is no (IT) security - the goal of a comprehensive IT security policy must be to ensure
In this context, whoever controls the hardware ultimately also controls the software running on it, which in turn means that, for example, no one can actually be trusted on the Internet (zero trust), since it is never possible to know whether, for example, a web address (whether encrypted or not, whether unknowingly or not) is infected with malware:
"There is no such thing as safe browsing today and it is no longer the case that only the red light district sites are responsible for malware" X-Force head Kris Lamb was quoted as saying in Brian Krebs' security blog (The Washington Post) back in 2009, and that hasn't improved at all - quite the opposite! "We've reached a tipping point where every Web site should be viewed as suspicious and every user is at risk." |
Without information security (on trustworthy hardware) there can therefore also be no data protection, but IT security can also only be truly effective if it is part of an overarching overall security policy.
"Security is not a process - security is a matter of attitude"
whereby the following applies: The defender must do everything right, a single gap can be enough for the attacker!
"Compliance" is understood to mean the self-evident fact that one must abide by laws. The problem here is to find out which laws must be complied with (i. e., which ones must be applied in each case).
The number of laws that may be applicable or have to be applied is increasing, and internationally cybersecurity is therefore not only a technical/organizational issue, but also a legal one.
Generally, however, there are no explicit warnings about threats that are averted with a high degree of certainty by our firewall.