January 14, 2013, 2:17 PM — As happens every January, when the new year arrived a couple of weeks ago, I saw a lot of new joggers and dog walkers out on the roads in my neighborhood. I've heard that gyms see a spike in business every January as well. In both cases, after a few weeks, things revert to about where they were before, as most of those who resolved to get fit in the new year fall away.
The problem is that real fitness is not achieved through a quick fix. It's an entire lifestyle, not a couple of jogs around the block.
Parallels can be drawn to security, be it information security, application security, software security or any other security discipline.
For many organizations, certainly, the quick fix can be tempting -- and it's just as illusory as the fitness quick fix. Again and again I've seen organizations that otherwise are lax in security matters commission a quick penetration test of whatever software or app they're deploying. They hope the test will give them an easy list of things to fix and leave them -- ta-da! -- secure. Even worse, they might go out and purchase a firewall, IDS, application firewall or some other product they heard about at a trade show and expect it to magically secure their shoddy software.
These things are to security what a pill that promises to burn fat while you sleep is to fitness. In both cases, the only thing you end up burning is cash.
Real security only comes with a lifestyle change, serious commitment and determination. It requires sweat and pain at times. But the results can be worth all that effort.
If you are ready for that kind of commitment, then the next natural question is where to begin. Quite simply, you need a plan. Failing to formulate a solid plan is what trips up the New Year's resolution crowd, and the same is true for organizations seeking better security. If you're out of shape, you shouldn't expect that you can just put on the sweats and running shoes and run a few miles on New Year's Day. Getting to wherever you want to be is going to take time, and should be planned accordingly. Start with the small things and gradually increase.
Here's how I would recommend easing into better security shape: