Imagine that you are observing people construct a new building. They are not looking for anything elaborate, and as long as they can get a roof over their heads quickly, conveniently and inexpensively, they are prepared to accept flaws and imperfections. So they dive right in, with a rough sketch of a blueprint, a minimum of planning, and very little assessment of local climate, geology or traffic patterns.
Instead, they focus their efforts and money on selecting and acquiring good, solid building materials. Construction itself is something of an afterthought: Individual pieces of the structure may be competently assembled, but little thought is given to how they fit together.
How much would you be willing to risk on such a structure?
As absurd as this scenario sounds, it bears a striking resemblance to common approaches to corporate information security. Security generally creates no additional revenue and is often viewed as disrupting efficient, productive business operations. In addition, security encompasses a number of highly complex technical issues that are understood by relatively few individuals.
As a result, in spite of decades of warnings from security experts, enterprise decision-makers believe that they can address these issues simply by identifying the right combination of hardware and software products--a temptation that many security vendors work hard to reinforce.
Without a realistic, well-implemented security policy, no firewall is going to do all that much. Practical, effective security doesn't come from a particular product, any more than good architecture comes from a particular brick supplier. And just as there is no one "correct" blueprint, there is no single collection of security strategies or techniques that will work for every business. A good process, however, will enable you to develop a security policy that will meet the needs of your enterprise.