Ever since I've been aware of IT security, I have been told it is not, fundamentally, a technology issue. There's lots of really good stuff we can do with very sensible and worthwhile technology, installing systems, guarding perimeters, repulsing attackers and identifying users as they log on. But that is not what matters. What matters is the kind of policies we set up to ensure that the technology actually gets used.
If you don't have a thought-out policy, you may spend thousands blocking up a "gap" in your security -- when that gap does not actually exist, or is very unlikely to cause problems. You may leave other gaps wide open. Worse still, without a policy, your staff won't understand the reasons for the security measures and may, accidentally or deliberately, break them or side-step them.
Everybody knows this. Security is not fundamentally about technology. But how have we responded? With technology. With interminable discussions about technology -- this year, the merits of "intrusion-detection" versus "intrusion prevention". With endless new products designed to fill some security niche that got missed out by the last product, or combine the last three security product types into one super-duper appliance.
Despite being continually told that security is a matter of policy, 99 percent of my conversations about on the subject have been about products and technologies.
Security policy, like so many other important things, is not pleasant or easy to talk about. After a few minutes, our eyes tend to glaze and we start to look round for something "concrete" to install or configure. This is basically because the conversation is hard work, it is on subjects that do not come naturally to technologists, and we want to avoid it.
It's like those relationship-shaking conversations when one partner needs to talk about "What are we doing together? Where are we going?" and the other partner feels a sudden urge to tidy the cellar.
To determine security policies, you need to think about the business and examine the risks. You need to place a value -- and a probability -- on them. You need to budget, to find the best way to spread the available money across the security options -- and accept the unpalatable fact that it ain't going to be perfect. You need to plan the implementation, and (most important and irksome for the uber-geek) make sure that the rest of the company -- management and users -- understand as well as they are able, and agree with you.