Security is not a Binary State
The security world is not black and white. The states of Secure vs Insecure are relative to ones perception of risk. Consider this very simple not IT industry perspective. In a metropolitan area everyone locks their doors. Why? Because the threat/risk of an unlocked door is not acceptable to their policy. On the other hand, in many small rural towns people never lock their doors. Why? Because they perceive the risk of a break in to be inconsequential. Ask either person if they are "Secure", and they will both likely say yes. So what the heck does this example have to do with IT security. Simply that an enterprises perception of their state is relative to their willingness to accept risk.
Products which say they make you "secure", really provide controls to manage risks associated with a set of threats, one should understand those threats. There are no silver bullets in security, rather an enterprises ability to manage risks is based on interlocking and layerd controls (the traditional defense in depth concepts) that protect or attenuate risks/threats. Security is about people, process and technology. The people and process component define security policies and the technology implements those policies. Poicies need to be based on the business process and the requirements of those process.
When someone says XYZ will make you "more secure", unless the person has intimate knowledge of your policies and other security controls this staement contains no weight. "More secure" is a value judgement, and others should not be speaking to your values, rather products/technologies should be presented on the basis of the risks that they mitigate, and how they operate to mitigate those risks. Not based on vague assertions.
--Steve BadeSTSM IBM Systems and Technology groupAll opinions are my own, and do not necessarily represent the views of the IBM Corporation.
Security is not a Binary state
nedcuser 2700017566 615 Visits