Robert Forbes and Arun Sivaraman January 22, 2008 10:16 am

None of the SANS Top 10 are really "new" threats, although as stated, the details change and become more sophisticated over time. Responding to any one of these points in a vacuum is fruitless and a well-thought-out security program should, if followed, provide a reasonable response and appropriate controls. If organizations try to stem out each and every threat reported by SANS individually, they will get lost in a maze of activities and technical controls. It will be more of 'curing the symptom' than addressing the real problem. the problem becomes exponentially complex for larger, silo'ed organizations. Answer: Technical controls and Infosec activities based on a well defined Information Security Management System... and PDCA model. I am not just talking of ISO certification, but a real life, functional management system which defines the priorities, assets, risks and how to manage those risks on day-to-day basis using the infosec activities and automating these with technical controls.