There are a lot of go-to sayings that are generic enough that folks will use as an ice-breaker. A way of getting you to nod your head as they build their premise. “security is a process” is one of those.
Who started that? The presumption with that is to point out that security is not a product. “You are not your firewall”. I get that, but I do not like the expression anymore than any other watered-down talking point that politicians use on an election year.
I had at least one guy who privately objected to my 140 character assessment of this. I got the sense that such an expression is a truth; and to rail against such a truth implies that you should at least have a replacement. “If it’s not a process then what is it?!?”. It’s rhetoric that helps you setup discussion. But hey, i’m game. Some replacements (off the top of my head):
  • Security is a characteristic
  • Security is a system of combined systems
  • Security is a vision
  • Security is indeed a product

What other talking points have the security folk been using for the last decade; thus pretending the pace of change has been minor?