Last week I joined sixteen thousand other IT Professionals at one of the largest Information Security shows in the World. I've been to this show many times before. As always there are some interesting products and MANY clones. The theme I picked up whilst walking the halls was the usual "buy our product or the sky will fall down".
If you are under pressure to "do something to improve security" the temptation to buy a shiney new security product may be overwhelming. Promises made in the marketing collateral are difficult to realise without the appropriate implementation, guidance and support.
STOP. Take a step back. Consider your overall information security requirements, policy and measure compliance to get a balanced view of where you need to invest time and money. Nine times out of Ten you will be better off making better use of the controls you already have AND improving the security awareness of everyone who uses the infrastructure.
People, processes and technology need to be leveraged TOGETHER for effective security.
Answering questions like "who needs access to what, why and when", "how do we know who they are?", "should anonymous access be allowed?", "what are the trust boundaries as information flows around my organisation?", "is this a stupid policy" will do you much more good!
Advertising shiny new products as the most important thing you'll ever need seems to be a side effect of today's society. My employer sticks to a delayed upgrade, we only recently moved to WinXP from Win2000 but I haven't received a single SPAM message or suffered a single virus. Sometimes there's nothing better than a solid architecture as you say, or excellent sys-admins.
It's like my old Linux server I used to run. It delivered 10Gb a month on an old P2-350 with 256Mb of memory I think. It suffered one hack as I installed a crappy version of CVS. Other than that, it just worked. That's how it should be and when it happens it's a good feeling.
I'm trying to get away from the thinking that new and shiny is better. Not always.
When dealing with data privacy, we need to think about proper use of Personally Identifiable information