What are the key elements of a good security program? Why did you answer that way? Seems a lot of security is ‘handed-down’ knowledge. We pride data and evidence-driven decisions while suggesting security is too hard to measure and pin down. Curious, no?