The third factor, and maybe the most important, is that most security professionals are fixated on solving security issues solely with technology. The number of vendors at RSA that were addressing physical elements of security were scarce, and anyone addressing the sociological elements of security were nowhere to be found (except one that does not count because they solve the problem with an appliance). Technology cannot solve every security issue, all it does is create an imbalance in a company’s security program that leads to a false sense of security (Pardon the pun).
RSA is, almost by definition, a technical forum but at the risk of becoming boring, I'll say yet again that information security cannot be 'solved' by technology alone. As long as people are part of the problem, they will inevitably be part of the solution. Security awareness, training and education, coupled with readable policies, usable procedures and helpful guidelines, are essential parts of the information security jigsaw puzzle. So too are management understanding and support ('walking the talk') and a thoroughness of approach by the infosec professionals. Those who are defending the castle must remember that the advancing hordes need only find and exploit one chink in each layer of our defenses.
Perhaps we should repackage and gloss-up our own security awareness services as a 'technology solution'? "Click here to download security awareness 2.0, the all new information security control system."? I guess not.
[PS We reviewed and recommended the CISO Handbook last year.]
More security awareness links