Security is not something you buy, but something you do

The three sides of the security triangle are People, Processes and Technology.


  1. People –the key issues are: who owns the process, who is involved, what are their roles, are they committed to improving it and working together, and more importantly are they prepared to do the work to fix the problem?
  1. Process –can be defined as a trigger event which creates a chain of actions resulting in something being prepared for a customer of that process.
  1. Technology – Now that people are aligned, and the process developed and clarified, technology can be applied to ensure consistency in the process application and to provide the thin guiding rails to keep the process on track, making it easier to follow the process than not.

None of this is particularly new to CIOs and CSOs, yet how often have you seen six or seven digit “investments” sitting on datacenter racks, or even sometimes on actual storage shelves, unused or heavily underused? Organizations throw away massive amounts of money, then complain about “lack of security funds” and “being insecure.” Buying security technologies is far too often an easier task than utilizing them, and “operationalizing” them for many organizations. SIEM technology suffers from this problem as do many other “Monitoring” technologies.

Compliance and “checkbox mentality” makes this problem worse as people read the mandates and only pay attention to sections that refer to buying boxes.

Despite all this rhetoric, many managers equate information security with technology, completely ignoring the proper order. In reality, a skilled engineer with a so-so tool, but a good process is more valuable than an untrained person equipped with the best of tools.

As Gartner analyst Anton Chuvakin notes, “…if you got a $200,000 security appliance for $20,000 (i.e. at a steep 90% discount), but never used it, you didn’t save $180k – you only wasted $20,000!”

Security is not something you BUY, but something you DO.