As security professionals, we are bombarded by products that promise to solve our security problems. It is easy to find verticals where four or five different vendors will claim to be the best solution and will even cite data from third parties to back up their claims. For example, I have lost count of the number of vendors who claim to offer a "single pane of glass" that will give me a comprehensive view of the security of my networks and data. While many of these products can add value, it is easy to get lost in a sea of security products.
What I try to remember is that security is really about process, not about products. At its core, security is the process of managing risk and protecting assets. Those assets can be physical (a gas turbine), human (our families, coworkers, and other fellow Americans), or virtual (intellectual property). Getting better at the process of managing risk and protecting critical infrastructure assets is what InfraGard is all about.
There are a variety of frameworks for analyzing security. One that I am familiar with is NIST's Cyber Security Framework (CSF). In this model, NIST looks at security as consisting of five key functions -- identify, protect, detect, respond, and recover. There are a variety of security products that line up with each of these, but the most important part of the framework is the way it makes you think -- understanding the assets you are responsible for, the risks that might affect each of these assets, the impact of an incident affecting one or more of those assets, and controls that can be put in place to mitigate risk and impact.
When I follow a disciplined process like this, I find that security does not have to be as hard as it sometimes seems. Don't get me wrong -- I know very well that security is not easy, especially in large, complex environments that face a very diverse threat landscape. But it is also not impossible. Developing and exercising critical security processes like incident response can help any of us reduce the risk of suffering a loss and the impact or duration of a loss.
Depending on your industry and specific security needs, there are other frameworks that may be a better fit for your organization, but most share a common focus on process.
Regardless of which framework you choose, they should not just be compliance exercises. When used effectively they can change the way we think about protecting our critical assets. It is an old adage that there is no such thing as "perfect" security, but robust processes and a culture of continuous improvement allow us to get a little better every day.
Security authors have been telling us that security is a process for decades, but we often lose sight of that fact in the search for a tool that will solve our security issues. Bruce Schneier wrote a famous essay about this topicas far back as the year 2000.