Gary Fish and I had a great conversation with Alan Shimel on his Security Exe podcast last week.  If you have a few minutes, you can listen to our discussion here: http://www.ashimmy.com/2011/12/have-we-got-risk-all-wrong.html

One of the great points to come out of a conversation was a comment Gary made.  Paraphrasing here, Gary proclaimed, “You shouldn’t buy another security product until you understand your current security posture.  And that is power of Risk Analyzer.  Identify the gaps that really need fixed before you spend your money on another ineffective security product.”

I think this is a great point.  Before you set out to fix something, understand what you are trying to fix.

Also, this statement reinforces the message we have been making for years.  Security technology to mitigate, reduce or limit risk is great, but only if it is effectively managed.  Understanding the current security posture in the context of these existing controls should be a pre-requisite to any future security project.