Eat less - exercise more!
by Anton Chuvakin
Related link: http://loop.interop-comdex.com/comments/199_0_1_0_C/
The line just about summarizes this truly insightful piece from Marcus Ranum: "Security is not about doing a lot of smart things. It's about not doing a few dumb ones."
I am a bit surpsised about "Don't outsource security" stance though. While I've heard about some people having bad experiences with outsourcing security, it seems like it might be the best option for some small and medium companies with no security staff. Some say "we are in business of doing X and not in business of "doing IT"; thus we will outsource IT". Same argument seem to apply to security perfectly...
Security for small/medium sized businesses is a real conundrum. My thought is this - if you have your own in-house IT staff, there is absolutely no reason to outsource security. It should be handled in-house as well.
>When you have little or no IT experience in your company, it can be
>very difficult to tell a real security provider from a fake or bad one.