A winning pair: governance and automated controls must work in tandem to achieve maximum results
We've all seen the advertisements for the latest and greatest home security systems. Yet despite all of their bells and whistles and the good they may do, security systems are useless if we forget to set the alarm. The technology and the person using it must work simultaneously to achieve the best results. In much the same way, governance and automation can be complementary, but they are not substitutes for each other. In some cases, automation may be used to force process steps and monitor actions, but a company cannot automate its way to compliance. Even the most sophisticated automated processes often contain at least an interface with what is usually the factor of greatest risk--the human being. Governance is a tool to help bridge the gap.
Take cybersecurity, for example. The Center for Internet Security's Critical Security Controls calls for a defense-in-depth model to help prevent and detect malware. The intent is to use multiple tools, each specializing in different protections such as access control, intrusion protection/detection, malware identification, and vulnerability scanning. These products are "layered," with each tool testing some aspect of the communication, usually with the ability to block or send alerts on...