An interesting article in Information Week about the practical planning for security in the corporate environment. The man that invented one of the early versions of Norton anti-virus software laments that IT pros are wasting their energy… I love his analogy that describes the lack of setting realistic expectations for security:
The industry spends way too much time on vulnerability research, testing, and patching, considering that only 3% of the vulnerabilities discovered are exploited, he said. He compared it to automobile safety research: “If I sat up in a window of a building, I might find that I could shoot an arrow through the sunroof of a Ford and kill the driver. … If I disclose that vulnerability, shouldn’t the automaker put in some sort of arrow deflection device to patch the problem? … And because it’s potentially fatal to the driver, I rate it as ‘critical.'”