I just wanted to repost a snippet from a recent post by John and Larry over at pauldotcom, “…Security is Hard,” (emphasis is mine):

“Moving forward we need to start looking at how we can baseline our networks, systems, and applications. Then we need to start watching for deviations from the norm. There is no shiny box or product that is going to “beat down” all malware and attacks for you. It is just like health. We all know what it takes to be healthy. It requires a good diet and exercise. But that is hard. We would much rather buy a pill, which never has worked. But, it looks easy, so we give it a try anyway. Maybe, just maybe this time it will work. It is the same with security. We know what we have to do: know your network, your systems, your applications, test, test and retest. Then, when you are done testing, do it some more then hire an organization to do a pentest for you that actually knows what they are doing. Then, start over again. “

The diet pill analogy is always an excellent one that I too often forget. We so often want the easy road in so many things, but sometimes you just have to plain put some effort into it. This is a great companion analogy to home security. Is there any one thing you can do that will solve home security? Nope. Ask anyone who has a nifty security system and still had an incident…

Someday I should make a page that goes over some useful infosec analogies…

risks with car drivers
diet pills
home security
healthy living/immune systems
insurance

I’m sure there’s also some useful ideas in sales/marketing for when an organization simply doesn’t want to face the music when it comes to security and security spend. How do you get someone to buy something you feel they need but they don’t feel they need, or feel like they need to put any time into? For most (including me) you’re really just left with FUD or an actual smell-the-coffee incident.