You fail to take into account that threats will move where you are weakest, and not where you have strengthened your defenses. You don’t have to be the most secure, you simply have to be secure enough to either effectively block reasonable threats or convince attackers to attack someone else.
Mistake One: No Security Goal
If you don’t know where you are going it is reasonably certain you won’t get there. You should go beyond simple data security or physical plant security and include the security of traveling executives, branch offices, home offices, and key partners.
Mistake Two: No Risk/Security Assessment
The first step (after assuring you have good people), is to understand where you need to go. To do this, you typically need a security expert to come in and provide you with an assessment of just how exposed you are. You need to set the goal first, because the security expert needs something to set context, otherwise the assessment will showcase exposures that you don’t need to correct and miss exposures that could be relatively important to address. By using someone that is independent of your company and your provisioning security vendor, you help insure that they are focused on your company’s needs and not their own.
This is not a one-time event either, threats are rapidly changing and you will need to change your security plan to address these changes. In his view you should do this annually; this allows the assessment entity to remain up to date on your firm and gives you a relatively current assessment to use as a baseline to help determine needs when looking at changes or purchases addressing your security needs.
Mistake Three: No Plan
You often see failure to plan at national borders; they will spend a lot of money securing the border-crossing. while people continue to cross the border illegally, out of sight of the border station. This is the same as security the front door and datacenter but allowing rouge wireless access points in the company, which can bypass this physical and electronic security.
Mistake Four: Linux/Firefox
Actually, the mistake here is not implementing Linux and Firefox, but rather leading with the product and not leading with the plan. Products come last. You may, in fact, decide to move platforms, but that decision should come as a result of the plan and not despite or without it.
In the end, your company has layers of security around it, much like a home surrounded by fences, with locked doors and windows, and with a panic room inside (a secure room with hardened walls you can lock yourself into if someone breaks into your home). The nature of the exposures you face, your resources. including the skill sets of your people, and your access needs define the nature of the security solution you provide.
http://www.networkingpipeline.com/60403185