What are the three pillars of information security, and why does relying on just one fail?
Information security stands on three pillars — technology, processes, and people — and it is only as strong as the weakest of them; a firewall means nothing if the process is undefined or an employee clicks the phishing link.
* Information security rests on three complementary pillars — technology, processes, and people — and is only as strong as its weakest one. *
| Pillar | What you do with it | Example |
|---|---|---|
| Technology (Technik) | Buy and configure it | Firewalls, encryption, patch management |
| Processes (Prozesse) | Define and control them | Access-request workflow, incident response, backups |
| People (Menschen) | Raise awareness and train them | Phishing training, clean-desk habits, reporting culture |
The point of the model is that these are complementary, not interchangeable: the best technology is undermined by a sloppy process, and the tightest process is undermined by an untrained or careless person. This is exactly why a management standard like ISO 27001 or BSI IT-Grundschutz spans all three — it manages processes and people (policies, roles, training, audits), not just technical controls. "We already have a firewall" fails because it addresses one pillar and ignores the other two.
Tip: Buy/configure → define/control → sensitize/train. Match each verb pair to its pillar (technology, process, people).
Go deeper:
Information security (Wikipedia) — die drei Dimensionen Technik, Prozesse und Menschen sowie die CIA-Trias (Vertraulichkeit, Integrität, Verfügbarkeit).