It's easy to buy products, fixing your architecture is much more difficult, and more rewarding!

Last week I joined sixteen thousand other IT Professionals at one of the largest Information Security shows in the World. I've been to this show many times before. As always there are some interesting products and MANY clones. The theme I picked up whilst walking the halls was the usual "buy our product or the sky will fall down".

If you are under pressure to "do something to improve security" the temptation to buy a shiney new security product may be overwhelming. Promises made in the marketing collateral are difficult to realise without the appropriate implementation, guidance and support.

STOP. Take a step back. Consider your overall information security requirements, policy and measure compliance to get a balanced view of where you need to invest time and money. Nine times out of Ten you will be better off making better use of the controls you already have AND improving the security awareness of everyone who uses the infrastructure.

People, processes and technology need to be leveraged TOGETHER for effective security.

Answering questions like "who needs access to what, why and when", "how do we know who they are?", "should anonymous access be allowed?", "what are the trust boundaries as information flows around my organisation?", "is this a stupid policy" will do you much more good!