Information security surveys are released on a regular cycle revealing what should not be surprising – security breaches increase and there seems to be no end to the rising impact. Could it be that the reason is the way information security and technology organizations approach protecting their information?

As the products that are purchased for technology operations are not consistently measured to any given hardening standard (government certification as the exception), one must consider the current models for hardening as complicit in this problem. One needs to look no further than the "aftermarket" security model for applying security. What does this mean?

Hardening is accomplished at two levels. The first level of hardening is supposed to be accomplished by the manufacturer of the technology product. At this level the product development teams should be driving out of the designs the known vulnerabilities in operating systems that can be exploited by criminals and attackers. This includes buffer overflows and back doors left in by software developers during testing. These vulnerabilities such as back doors create the need for a never-ending routine of security patching applied to operating systems, applications and product software. The second level of hardening involves the information security teams configuring ...