It all started with point solutions. Technology professionals and their most tech-savvy customers would identify specific pain points — often after the problem had taken its toll — and developers would come up with solutions to guard against it. This was like the proverbial Little Dutch Boy trying to plug holes in the dike. (Sadly, many infrastructures still rely heavily on these isolated niche solutions.) Perhaps effective in the early days of the security market, this strategy is now far from adequate; even with some holes plugged, the dike remained leaky…and I’d argue it’s becoming more leaky.
So, the industry moved on to event detection and incident response. The goal was to sniff out individual trouble spots as soon as a real problem arose and put corrective measures in place, and/or respond more effectively when a vulnerability was exploited. In the process, security became a more strategic part of software development and deployment, but still an “add-on” — not core to the strategic information technology that runs a business.
