Today, all companies have been effectively forced to consider the risks they face and evaluate the vulnerability of their assets with regard to their related potential economic impact. Once risks have been assessed, priorities can be established and a defense strategy can be arranged. This means that we need to adopt DiD logic, without being discouraged by the apparent difficulty of this approach. But what is DiD?

DiD is an approach to information security by which a security posture is achieved through the coordinated and combined use of multiple security countermeasures. It is based on the integration of three different categories of elements: people, technology, and operating methods. The redundancy and distribution of countermeasures is based on two main concepts: defense in multiple places and layered defenses.

These concepts are certainly not new; they come from the military. We assume that if an attack is successful, this represents a failure of a security mechanism and other security mechanisms should intervene to allow for the adequate protection of the whole system. This is quite logical if we understand that for an enemy it is more complicated to penetrate a complex defensive structure that is made up of a number of levels than a single barrier. This concept is sufficient to provide each organization or company with technologies, solutions, and technological, operational, and organizational measures and countermeasures. However, this also leads to an exponential increase in complexity and costs, without any guarantee of the actual results and even the risk of counterproductive effects. The way in which the security of company information is to be dealt with should be established by evaluating the tradeoff between risk and expected profit.

Let's now examine, one by one, the three key elements that comprise DiD: people, technology, and operating methods.