There is no doubt that security is not a project, there is no end and we need to constantly evolve but does it seem to you that you may put more effort you expect? You would sense some doubt about why you are constantly running after fixing issues, but is this the way security works?
No, although you may get bombed with market elements that you have to run but it is not true, the problem is in a different area… the choice is yours:
Gaining “Security” via constant “fire fighting” vs. “guaranteed security” via adequate system and network administration!
It is all about the way we manage and configure our tech environment, from infrastructure to end-user’s machines, from software to processes. That is the most observed cause of general failure with cyber security: tech team (usually IT department) is not well managing the system and network!
The way we administer technology is the main driver of our security program, it can fail us or take us to the next level. If we are running all the time to catch up, if we are struggling with a smooth patch management process, if we do not know where are the risk at any given time, if we constantly introducing risk and insecurities to our system…all are because we do not manage our system and network properly.
The simplest examples would be how we setup a software or hardware with default configuration and hoping that works! How we leave systems and network nodes unattended until they start screaming by indirectly breaking some elements and we always blame technology; we never ask ourselves how we manage the technology!
Default configuration is not the only example but it happens more frequently because teach team is configuring a new system, software, hardware, script…sooner or later and this usually happens with no security in mind!