Find a security need, buy a product

An article by David Joachim over at securitypipleline (3/24/2005) highlights the ten worst security practices. A good article. We do learn by laughing at other peoples mistakes. ๐Ÿ™‚
His first item, left me thinking. His first “worst security practice” is “if you find a security hole, buy a product to fix it”. He argues that we feel secure in our security products. We’ve seen this attitude from some. If we upgrade to Windows XP we will be secure. If we load this months patches we will be secure. If we buy desktop firewall, then we will be secure. If we buy anti-spyware software then we will be secure. The bean counter wants to see tangible results from the large expense of new security software. He/She doesn’t want to instead get the next bill for the next solution.
The main problem is the mistaken assumption that security is something that is purchased rather than something that is done.
The secondary problem is if the software is purchased but not implemented or implemented but not maintained. This can happen with security products that bug the users too much like a personal firewall or it can happen with overly complex things like a NIDS.
My spidey sense kind of perked up at this. Is the author trying to say security products are bad? Should I not be wanting to buy IM antivirus to address the problem of IM security? Yes we all know that every dollar spent on user education is worth 10 spent on security products. But we’ve got these holes that I want to block!
Where I’ve gotten in my thinking is that the author is correct. Tools are not an end in themselves. Tools are something to solve a problem. They should not get in the way of the security big picture. This doesn’t mean we don’t need the tools I’m looking at. It means that we as techs are pretty gadget oriented already. We shouldn’t let these new tools be our new toys that distract us from the goal of security.