Mark Strickland, CISSP
Security Is ...
Security is a continuous process of examination and improvement. There is not a day where you achieve a 100% secure enterprise or network. If you are asked "Are we secure?" you can only say "We're working on it and we are better than yesterday but not as good as tomorrow". There are always compromises and always unknowns. Systems are interconnected components that, by definition, must be accessible to be useful. By that definition alone being accessible makes them vulnerable.
It all starts with people ... educate, train, inform, remind, and then do it again. Beyond people are tools, plans and processes. Just like you would never consider operating without a Business Continuity and Disaster Recovery Plan you should not operate without a Security Incident Response Plan. Plans need to be ROI aware and reflect the needs and capability of the business.
Network security involves continuous examination of infrastructure, traffic, and tools. Networks can be relatively secure and definitely defensible but all of the preventative tools like firewalls will likely fail at some point under some circumstance. Testing can tell you where you stand at a point in time but good monitoring tools can help you be more defensible on a daily basis. Good tools make good people better. Without tools you only can react after damage has occurred. With tools and a good Incident Response Plan you can mitigate, contain, and possibly stop any damage then learn from the incident and make improvements for the "next time".
Due Care involves much more effort than it ever has to remain relatively secure. Network "hackers" abound. From "Script Kiddies" with readily available point and click tools to the professional that is on a mission to gain access or do specific damage, enterprises must be more vigilant than ever before.