Bruce Schneier has indeed said that 'security is a process', but more, I think, to call attention to the problems that appear when security is regarded as product: security should rarely if ever be bought off the shelf, plugged in, turned on, and largely forgotten.

It's unfortunate that there seem to be no good, simple definition of the term 'security' -- it would help avoid some conceptual problems laymen have. For instance, 'there's high security and low security, but what does that mean if security is a process?'.





[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/324/31837#31837