Information security product vendors have all the right solutions for practically every threat, vulnerability, and risk your organization will face. At least that’s what their marketing and sales folks will tell you. If you can cut through the fluff and short-sighted deals closed for the sole purpose of making quarterly numbers, there’s actually a lot of truth to this.

In the last couple of years, information security vendors have cropped up with solutions for seemingly every possible security need. This is especially true in the information security equivalent of Silicon Valley – Atlanta, Georgia. From regulatory compliance to insider information theft, to wireless security to spam prevention and malware obliteration – there’s no reason your information systems shouldn’t be completely secure. Right? Not hardly.

There are 10 signs that you’re not ready to buy any new information security products – regardless of what the vendors promise. Here they are in no particular order:

1. What you’re trying to protect is worth less than what you’ll have to spend (initially and ongoing) to protect it.
2. Your management runs the business in a vacuum and has no clue about information security.
3. All of your insiders are trusted by upper management to do the right thing (deadly mistake that happens often).
4. You’ve heard through the grapevine that you need a certain technology to be safe (this really requires a formal information risk assessment).
5. Your management believes the network is secure because they purchased the firewall and anti-virus products that everyone was raving about last year.
6. You have no formal security policies (i.e. mandates stating “this is how we do it here”) that:
   1. Have been formally documented.
   2. Are supported by an IT governance committee (not just IT).
   3. Have been approved by management.
   4. Employees know about.
   5. Are reasonable and enforceable.
   6. Are being maintained and enforced by HR and management (again, by not IT).

Otherwise, you simply have a wish list for IT governance that will never stand up against real risks and certainly won’t have a chance in court.

7. The “security policy” you do have is a fancy name for your firewall rulebase.
8. You don’t truly know what it is that you’re trying to protect
9. There aren’t clear business reasons why your information and systems need to be protected and what they’re being protected against in the first place.
10. You haven’t enabled all the security controls that come free within all recent operating systems and most hardware devices and software applications (i.e. authentication systems, access controls, encryption, personal firewalls, automatic security updates, logging/audit trails, and so on). So many of these are overlooked yet can offer a ton of value without you having to spend an extra penny on third-party solutions.

My reasoning behind all of this is that you can’t throw money and technology at underlying business problems and expect a long-term solution. Furthermore, you cannot fix what you don’t acknowledge. Technology solutions such as firewalls, intrusion prevention systems, and strong authentication often mask other problems for which management isn’t willing to be held accountable. Solid policies and processes can often substitute for technology solutions. They’re often a better alternative long-term.

Until you can get management to buy-in that information security is a serious business issue and follow through and enforce their policies, IT governance will continue to be non-existent and information will continue to be in jeopardy.

Security doesn’t come in a box, but it’s often portrayed that way. Likewise, technology should not drive business decisions and processes. Don’t fall into the trap until you step back and look at information security from a business and risk management perspective. Determine where your organization is vulnerable, develop policies that match up with your business needs and goals, and then determine if technology can be used to assist in policy enforcement. This is the only way you can ensure that your IT and security dollars are being spent wisely. What a nice way to start off the new year.