This never-ending cycle helps security vendors make a mint selling security professionals the next "silver bullet" that will let them sleep at night. Thanks to security tool "gadgetitis" (which apparently is contagious), enterprises find themselves in a constant buying cycle, thinking maybe this product will finally help keep them secure...until the next exploit (predictably) outmaneuvers it.
It is never going to be true -- a single new technology, no matter how good, will not make your organization more secure overall. The key to true security improvement is harnessing tools for use in a strategic, proactive approach to IT security.
Large organizations have amassed dozens of best-of-breed security products over the years. The good news is that all those security tools lurking in dark corners of every enterprise don't have to be a sunk cost. Application and network scanners, Wi-Fi scanners and host-based agents put out a wealth of information about the state of network security. Automated patching and configuration management systems, as well as remediation management systems, enable quick implementation of fixes. Threat intelligence services help predict what may really cause damage to your network. Each technology is isolated from the next, each plugging just one more hole in the dam.
The move to a more strategic, proactive approach to IT security requires a different way of thinking: a cohesive, transparent, measurable, repeatable business process that links all of this information together and makes it actionable. This is not easy. It means implementing a business process across disjointed IT organizations that rarely see eye-to-eye.
Fortunately, there are many success stories to draw from. IT security is just the latest department going through the same evolutionary growth phase as others have. Unifying and managing disparate tools and disjointed processes under one umbrella is a familiar concept exemplified by the likes of Enterprise Resource Planning, Customer Relationship Management and Sales Force Automation.
The most forward-thinking organizations have already put in place comprehensive security business practices enabled by a closed loop, corrective action process. Security management systems, leveraging a best-of-breed security tools infrastructure, unify those practices with people and provide the CIO and CISO with the high-level information they need to see what's working and what's not, enabling them to make strategic decisions for the future. CISOs can manage security across their entire organization, actually calculate ROI on security projects, and more importantly objectively measure and demonstrate improvement over time.
Attacks and exploits will continue to evolve and evade each new security technology -- hackers will always be a step ahead of security vendors. Implementing an enterprise-wide security process to systematically and regularly find and eliminate the root cause of exposures is the only way an organization can eliminate the risk of successful attacks. Let's face it, that's the only way to avoid business disruption because the next new gadget just isn't going to do it.
Tom Kuhr is the vice president of marketing for Preventsys, an enterprise security management company.