In truth, for most businesses, common sense measures such as up-to-date patching and training users not to click on phishing emails yield "good enough" security. There's no such thing as zero risk, but you can get to low risk without tying yourself in knots.
If you have the kind of business with lots of data really worth stealing and sophisticated hackers know it, you can erect every security barricade short of pulling the plug on the Internet and the bad guys will probably find a way in. Primarily, I'm talking about organized crime and foreign governments deploying advanced persistent threats to steal intellectual property.
On the one hand, the security industry helps gin up the fear factor, which may result in overprovisioning. For example, it's easy to damage productivity with ham-fisted access control that denies users access to information they need. If you restrict mobile too much, users may simply smuggle in devices.
On the other hand, if you're a high-value target, you've probably been compromised no matter how hardened you think you are, unless you have a budget as big as the Defense Department's.
If you read Roger Grimes' blog regularly, you probably know that most organizations can radically improve security just through user education and consistent patching -- not to mention multifactor authentication, proper network segmentation, and so on. But more needs to happen.
It's time for the security industry to scale back the scare tactics and quick fixes and to help businesses put best practices in place. That may not sell as much product, but the vendors that truly provide such assistance will enjoy huge customer loyalty.
This article, "The state of security: Fearmongering and surrender," originally appeared atInfoWorld.com. Read more of Eric Knorr's Modernizing IT blog. And for the latest business technology news, follow InfoWorld on Twitter.