you have probably heard or even sick of it: security is a journey…it never ends…security is not a destination…yada yada
is security really a journey, or let’s say, does it have to be an endless journey where we actually do not enjoy or even hate to have such a journey?
security as a journey yes or no depends on how we define it but regardless of our perception of Security, right or wrong (which there is no such thing from POV of individual businesses) this journey does not have to be with no end or destination, painful and super expensive.
there are many ways to accomplish any level of security or better say maturity in infosec but none requires commitment to a long term no stop, expensive painful journey with no bright horizon or expected achievable destination.
some want to forcefully dictate that security is a journey to make you ready to pay the bills for a long long time. as I always say, willingness to do something is the first requirement or factor in expecting where and when you can actually do stuff and accomplish a mission. so if community is not willing you the right mindset (1st mindset, second resolution, 3rd solution) then you will be hammering water in this endless journey of security forever.
I am not pessimistic at all, I am just reflecting what has been happening aka the results of 4+ decades in security community. so it is not my fault that the direction is wrong and journey never ends because people do not know where they are headed. choose the right direction and be at destination at your expected and feasible time. any journey is going to some day ends, how security is different?