While browsing through the security headlines the other day, I came across an article where Cisco’s CSO, John Stewart, proclaimed that anti-virus software and security patches are, “… completely wasted money.” His justification for this statement was due to the large number of, “companies in the world that actually believe infection is just a cost of doing business and are getting used to doing it--as opposed to stopping it completely.”
Now, though my work history, I have failed to witness organizations that view a virus infection as a commonplace occurrence. This was because the organizations that I have been associated with all maintained up-to-date virus definitions throughout their enterprise. As we all know, anti-virus products are only as good as their definitions – failure to keep your definitions up to date can lead to serious problems. But I do not feel that this is par for the course. The same can be said for operating system and application security patches. Failure to maintain these can leave holes in your defenses that can be easily attacked.
I do not think that it would be wise to completely abandon an organizations anti-virus and software patching process. This is a fairly safe and easy way to maintain your organization’s security. I am interested to know, what does everyone else think?