Don't blame the vendors for sad state of security

Roger Grimes over at InfoWorld posted a sobering column. He is frustrated by the fact that no vendor sells a product that defends against all attacks. Or, as he puts it:

There is no single product that will protect you against 100 percent of the threats that it claims it will prevent.

I agree completely with those statements and I like Roger's example of being able to own any corporate network with a simple email:  

Just send a spam e-mail to corporate employees entitled "Pending 2006 Layoffs" pretending to be from the CEO, and have it contain one of the many MS-Office zero days with an unscannable remote access trojan. I do it for a living, and rarely do I have to wait more than a few minutes for complete network access.

But Roger's frustration should not be targeted at the vendors. We are all engaged in a continuing struggle that needs constant vigilance and investment to fight. A single vendor is not going to solve all our problems, despite the now common advice from industry analysts to buy from big name AV companies.  As long as Microsoft continues to issue buggy software, as long as new products and services are developed, as long as business itself is dynamic and changing, there will be new threats, new attacks, and the need for new defenses. 

 Don't waste your breath moaning about it. Get out to the front lines and start defending your networks!