I just hung up the phone with a call to a potential client who wanted to talk about IPS and VPN's. After about 5 minutes into the conversation, the call turned into how they needed to be PCI compliant, how they have critical customer data they want to protect, and how they need more insight into the state of their general security posture. How did the original intent of the call morph into this all-encompassing, uber-call? By asking a single question: What is driving your need?
It is amazing how quickly that question changes things. The guys at this company were seriously smart and very open-minded people. They knew that security was not where it needed to be at their company. They knew that they had to be compliant with PCI. But they got so focused on a couple of technology silos that they ended up basically trying to put a puzzle together without the box and blindfolded. Then that question opened up the floodgate, and they started seeing the bigger picture. Again, they knew the picture was there. But they were only looking at a piece of the picture at a time.
I also went to see a client today with a vendor my company represents. The client was focused on the product from the standpoint of management ROI. Basically, he wanted to make his job and the jobs of his employees easier. And while I will never say that is not an admirable pursuit, he was surprised when we started mentioning disaster recovery as it related to the product. He had been so focused on one aspect of the product, he had not even thought about how it could help him with DR (even though he had a current project surrounding DR). The solution was obvious, but he had on blinders.
I wrote a post that is somewhat related to this at my personal blog. There I talked what you have to do when different vendors are trying to sell you a product that is essentially a commodity. When everyone's product is effectively on the same level playing field, how do you choose which one to buy? You have to look at the "intangibles", like viability, diversification, etc. The same is true when it comes to security. Sure, every business has different drivers for trying to secure their network and data, which means that each company is going to buy different products and services to get there. But they are all trying to get secure (at least most are - some are hopeless). So if the end-point is the same, then how do you choose how to get there? You have to look at the intangibles there as well.
You get there by looking at your environment in its entirety. You have to take a look from the 10,000-feet view. If you focus on a technology, you are putting on blinders. If you look at the problem you are trying to solve, then you will get to look at technology eventually, but you will be looking at each piece as it fits the whole. That is a much more difficult path, but it will be worth it in the end when you management is much easier and your security is much tighter.