It’s not all about Technology
When I joined computing security in 1982 it was part of the function responsible for protecting people, property and information. This encompasses not only security responsibilities, but also fire protection and response. My reaction as a techie was that these non-computing functions had nothing to do with me.
At one point I was volunteered by my manager to be our group’s safety coordinator. One component was to meet with the other safety coordinators in the security and fire protection function monthly. As a result, I not only got to know these people in the various functions, but also learned some things about their functions. One person I met was the Fire Marshall, who was responsible for the standards used across the many locations where the organization operated. He also coordinated fire protection amongst his peers in the surrounding municipality fire departments. He was a champion of change in the national fire codes, which are standards for reducing fire risk; a very interesting model to consider when thinking about computing security control frameworks.
It is common for documents and web sites devoted to computing security to have limited if any reference to non-computing security controls. The reality is that the technical controls are reliant on the protections of physical security controls, and that all security controls can be no better than the trustworthiness of the people who create, operate and work within the controlled environment.