This is the second of two parts of an interview with Daniel Kennedy, MSIA, who graduated from the Master of Science in Information Assurance program in the School of Graduate Studies of Norwich University in 2008. He has recently become a contributor to an interesting, thoughtful and valuable blog at Forbes Online and I interviewed him recently about his new project.

What do you think your focus will be in the coming months?

I'm still finding my voice on this Web site, but my primary focus will be on what I think is most missing: fundamental security strategy within companies and its effective execution. I am very much in favor of the capabilities new and innovative products can provide, but I find their implementation in many organizations is haphazard; the products lead the implementation calendar rather than allowing internal teams to find the right products that fit into an overall, strategy that prioritize the rollout of its component parts.

For example, there are organizations which provide privileged access to all users and have no Web filtering, yet they are asking about high end data leakage protection (DLP) products. Companies may have no patch management and no validation of their anti-virus, yet they want to discuss high end log review security information and event management (SIEM) products. Many companies are not doing intrusion detection at all, doing it in baffling ways, or outsourcing it to providers who aren't actually monitoring anything. In most cases all of these things should be part of a strategy, but more complex projects will only be successful if built on a foundation of getting the basics right.

The link for this article located at Network World is no longer available.