Too much technology with too little process
I have worked with countless companies in my career, specifically helping them with their security strategy. The majority are overfocused on technology. I have never seen any that were overly focused on process. In Chapter 6, Information Security for a Changing World, we discussed security triumvirates, including the triumvirate of people, process, and technology. A triumvirate by definition should be equal in power. However, on average based on my experience, most security programs focus 60% of their effort and budget on technology, 30% on people, and 10% on process.
There are several theories on why this may be, but mine is that it is simply easier to select a technology than it is to define a process. In a world where people in cybersecurity teams are overloaded and stressed out, the easiest solution becomes the preferred solution. This technology proliferation and accompanying neglect of process design lead to a concept known as shelfware...
