Are Security Vendors Doing Their Jobs?
"Security is a process, not a product." Two people lay claim to that quote: Marcus Ranum and Bruce Schneier. Regardless who said it, the axiom rings true. Two-thirds of all security breaches are by internal users, and most of those are accidental or non-malicious. In many cases, security is a matter of proper configuration and change management, meaning making sure that devices are properly imaged, users have appropriate permissions and that a consistent state is maintained. Many security technologies have matured to the point of where they're commoditized both in the market and their usage. The question becomes whether the newer technologies that vendors are bringing to market are designed to really improve security? Prior to joining Baseline, this is the question I asked in an expose for CSO Magazine (http://www.csoonline.com/read/110107/fea_vendor.html). Many CSOs and senior security managers I speak to say that they're spending most of their time in maintaining state than experimenting with new technologies because that's where they get the best results for their efforts. If firewalls, IDS and antivirus are so common that their transparent in the infrastructure, what emerging security technologies will produce true value to the enterprise?