Some decades ago, computers weren’t widely used in business, so people and processes were the primary targets for compromise. At that time, there were few organizations with the resources to engage in espionage practices, so it was mostly reserved for governments and perhaps a few conglomerates. Over time, though, computers became increasingly commonplace despite the abundance of vulnerabilities in the technologies of the day. This put more information than ever at risk as access to corporate and academic secrets grew to unprecedented levels. Vendors saw the risks to their own businesses and set about creating solutions for securing the technologies they were selling with technical and physical controls. This focus certainly did help as today’s technologies often are built from the ground up with security principles at the fore. However, as we observe the growth of what is known as human-enabled breaches, we see now that a focus on technical and physical controls alone was never going to be enough. Perhaps because our attention was focused on technical and physical controls, we’ve often underestimated the impact of our people and processes on our security postures. This has led them, once again, to being the primary targets. Clearly, we need a more balanced approach to cybersecurity; one that balances our efforts in all three types of controls: technical, physical, and administrative. But what are administrative controls and how do they help us mitigate vulnerabilities in our people and processes? We are going to explore this question and others with you through a series of posts as we share what we are learning and how we are applying those lessons through our new administrative control-focused platform Sibylity.