What defines a security posture?

• A. The organization’s physical building security.
• B. The number of security personnel on duty.
• C. The overall readiness and robustness of protective measures and policies to reduce vulnerabilities.
• D. The speed of incident response only.

Answer: (C)

A security posture is the organization’s overall readiness and strength in defending against threats, encompassing the full mix of protective measures, policies, and practices used to reduce vulnerabilities. It isn’t just one thing, but how well people, processes, and technology work together to prevent, detect, and respond to risks. This includes technical controls like access management and monitoring, physical protections, administrative actions such as policies, training, and risk assessments, and a culture of continuous improvement through audits and lessons learned. Focusing on just a single aspect—like building locks or how many guards there are—misses the broader system of controls and practices that together determine risk. Similarly, prioritizing only how quickly an incident is responded to neglects prevention and detection efforts that reduce the likelihood of incidents in the first place.