Before me were the CEO, the CIO, the CFO, the CTO and the vice presidents of sales, marketing, support and operations. I told them that I had been working in security long enough to know what sorts of things work. There’s the rule of least privilege, which enforces access controls based on granting only those privileges that any individual needs. There’s security awareness and the idea that changing employees’ behavior is one of the most crucial ingredients of strong security. There’s the acknowledgment that we’re only as strong as our weakest link. There’s the all-important realization that security is a process, not a point solution.