More Than a Hammer: Expanding the Information Security Toolbox

When the only tool you have is a hammer, it’s tempting to treat everything as if it were a nail, wrote Abraham Maslow a few decades ago. Given this observation, it’s not surprising that most of today’s information security efforts seem to focus on networks and systems. Gunnar Peterson observed that this is because infrastructure is the “background and hobby interest of the majority of technical people in the industry.”

In addition to the infrastructure security “hammer,” our toolbox needs to incorporate the following elements:

These ideas are congruent with the concerns I expressed when outlining the worrisome state of the information security industry. However, that note pointed out problems without saying much about solutions. Looking at ways of expanding the security toolbox might be a more constructive way of tackling the issues.

Update 1: For more thoughts on this topic, read Gunnar Peterson’s post He Who is Not Busy Being Born is Busy Dying, as well as Christofer Hoff’s response.

Update 2: In a follow-up post I offered my tips for how to Down the Walls Between Application and Infrastructure Security.


About the Author

Lenny Zeltser develops teams, products, and programs that use information security to achieve business results. He is presently the CISO at Axonius and an author and instructor at SANS Institute. Over the past two decades, Lenny has been leading efforts to establish resilient security practices and solve hard security problems. As a respected author and speaker, he has been advancing cybersecurity tradecraft and contributing to the community. His insights build upon 20 years of real-world experiences, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more