More Than a Hammer: Expanding the Information Security Toolbox

When the only tool you have is a hammer, it's tempting to treat everything as if it were a nail, wrote Abraham Maslow a few decades ago. Given this observation, it’s not surprising that most of today’s information security efforts seem to focus on networks and systems. Gunnar Peterson observed that this is because infrastructure is the "background and hobby interest of the majority of technical people in the industry."

In addition to the infrastructure security "hammer," our toolbox needs to incorporate the following elements:

These ideas are congruent with the concerns I expressed when outlining the worrisome state of the information security industry. However, that note pointed out problems without saying much about solutions. Looking at ways of expanding the security toolbox might be a more constructive way of tackling the issues.

Update 1: For more thoughts on this topic, read Gunnar Peterson's post He Who is Not Busy Being Born is Busy Dying, as well as Christofer Hoff's response.

Update 2: In a follow-up post I offered my tips for how to Down the Walls Between Application and Infrastructure Security.


About the Author

Lenny Zeltser develops products and programs that use security to achieve business results. He is the CISO at Axonius and Faculty Fellow at SANS Institute. Lenny has been leading efforts to establish resilient security practices and solve hard security problems for over two decades. A respected author and practitioner, he has been advancing tradecraft and contributing to the community. His insights build upon real-world experience, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more