A warning to security technology junkies - get off the crack!

Are you a security technology junkie? Do you love to have the latest security gadget, and do you hope that the latest gadget will fill a hole in your network? If so, you can expect to to overdose soon (assuming you have a good budget and gullible management). What you are going to end up with is a huge amount of crap to manage, and you are really not going to get anything done that helps your security program in the long run.

Chris Hoff does a good job of explaining this in one of his latest posts. In point number three (I'll let you read the title of the point), he says:

If you continue to focus on technology to solve the security “problem” without the underlying business process improvement, automation and management & measurement planes in place to demonstrate what, why and how you’re doing things, then you’re doomed.

This is so true. Though Chris made a huge number of great points in this post, this has to be one of the most important. I fell into this trap myself for a while at my last job. We had a good budget the first year, and I went hog wild. I knew from experience where some of the obvious holes were, and I had to get those plugged quickly (needed an IPS, a good URL filter, anti-virus, anti-spam, central logging, etc.). I didn't have time to get policy in place before I got the network secured to some degree. However, in my exuberance, I started getting all googly-eyed when I looked at some of the cool gadgets that were out there. After a while, I figured out that I had too many devices and not enough of a framework to make it all cohesive and manageable.

Don't get caught in that trap. Make sure you come at the security problem from the business side first. I know I have preached about this before, but it is still true. Don't go crazy for the technology until you know your business and the gaps you have to fill. THEN you can get the goodies.