If you’ve ever decided to loose weight, you’ve undoubtedly been exposed to an endless stream of products, most of which make it sound very easy. Take this pill or drink this tea and those extra pounds will simply disappear. While deep down we know that achieving weight loss requires a process in which we consume less energy than we expend, that silver bullet is much more attractive. Given the choice, we’d all rather swallow a few pills than change how we eat and hit the gym.
Security is often more complicated than weight loss, but it suffers from many of the same problems, including the search for a silver bullet and a tendency to focus on only a small part of the problem. I hear a lot of variations on the same basic question:
With all the advances we’ve made in security like firewalls, anti-virus, anti-spam, intrusion detection, intrusion prevention, data loss prevention [and the list goes on], why do we continue to see an increase in the number and severity of security breaches?
Some people will tell you it’s because we’ve become better at detecting security breaches, and that is true. Others would tell you that it’s because information crimes have become heavily monetarized, and that’s also true. But the real root of the problem is that we spend way too much time and money searching for that technical silver bullet and not nearly enough addressing critical issues like sound operational practices, personnel security and training.
Security, like weight loss, is a process. Contrary to the sales pitch, there is no product that will make you or your information “secureâ€. We hear terms like “completely secureâ€, and “totally secure†all the time, but these states simply don’t exist. Some products can help, but only if they are incorporated into a foundation of solid security processes.
If we really want to stop failing, we need to shift our focus toward actively managing risk. We need to better understand our current risk situation, determine what level of risk is acceptable, and then we’ll be in a much better position to make security program, process, and product decisions.
