Information Security is like painting the Golden Gate Bridge as it's a Perpetual task! Many people seem to believe that buying some product or security service that they can obviate their responsibility. In some cases products and services can help but they're very (very very) unlikely to help you unless security is a business consideration that is part of day to day business in process, procedure and technology.
Information Security shouldn't be an onerous task - it simply needs to be a pervasive consideration.
Thanks to Thomas Hawk for the amazing image. Thomas has many more fantastic pictures in his photo stream.
But information security is also very different!
It only takes a few people to paint the bridge. (I don't know how many.) They are responsible for getting it done. Their supervisors don't need to help or participate in order for the paint job to get done. Bridge users don't need to be involved (although they may be inconvenienced if the job causes a lane to be closed).
For information security, we *need* both executives and users to be involved. Without authority (and sometimes support) from management, we're just there to take the blame when something goes wrong (to paraphrase Gene Spafford). Without some end-user awareness, we're always vulnerable to human mistakes, misunderstandings, and misdeeds.
Universal participation isn't a requirement for painting bridges, but is for properly protecting information, technology, and people.
Ron> Absolutely! Thank you for sharing your thoughts