Recently, Hannaford's CEO announced that his company would "spend millions" to improve their security posture and prevent further\u00a0data breaches. This is a laudable stance; however, it is also an example of what I call \u201cThe Recency Trap\u201d \u2026 when organizations respond to a recent event or change in circumstance and often over-invest or invest in the wrong places (often both.) It's like when the E&Y employee left his laptop on a bus and some C-level knuckle-head there decided it was a good idea to mandate encryption on all 22,000 E&Y laptop hard-drives. Are you kidding me?! That is one expensive fix - and one that would have most likely been implemented incorrectly anyhow -- but worst of all is that it ignores the REAL threats that a company like E&Y are facing. Why spend that money on hard-drive encryption at the expense of other business continuity, training,\u00a0and data protection initiatives that would yield higher returns and mitigate more risk? Similarly, why should Hannaford spend millions on intrusion prevention systems (IPS) when that wasn\u2019t the major\u00a0problem? They had malicious code implanted on their systems and IPS can\u2019t do ANYTHING to protect against software security issues or people taking advantage of known security flaws to exploit a system. And they certainly can't help the company if an insider with access installs software on a server. They are spending lots of money yet ignoring the bigger issues\u2026 they are taking their eyes off the ball, imo.Companies are spending WAY too much money on network infrastructure defenses and way too little on things like awareness training, software security, and data leakage!\u00a0 Studies from\u00a0Gartner and NIST indicate that between 75-92% of security vulnerabilities are due to flaws in software; yet, they also report that over 90% of IT security spend is on perimeter security such as firewalls and IPS. This demonstrates two things to me: CIO\u2019s\u00a0(who have buying power) don\u2019t\u00a0understand\u00a0the real threats CISO\u2019s (who don\u2019t have enough power to open eyes) may\u00a0understand the real threats but can't do anything about it There IS NO PERIMETER anymore. And most of the perimeter\/network defenses are USELESS against the software problem and the insider threat.\u00a0 Criminals are going after retail and web sites with large customer databases that contain credit card data, CVVs, name, and addresses. Why? Because this info is valuable and can be sold WITHIN MINUTES of it being stolen. And most criminals take advantage of known security flaws in applications and operating systems. Spend your money on properly patching your systems and hardening your applications!The fact is that most applications are rushed into production without security testing.\u00a0Companies fear that writing secure code will cost too much, but there are many data points that prove otherwise:\u00a0 1.) insecure software is much more expensive to maintain and patch\u2026 and oh yeah, it can also cost you millions if it causes you a data breach, and 2.) once you know how to write secure code, it doesn\u2019t take any longer to create an application than if you wrote it insecurely.\u00a0 Hannaford would be much better served writing properly secure code to protect their customer data at the source (and demanding that the vendors they buy software from do the same) instead of spending millions at the perimeter on network defenses that will make them no more secure from the attack that breached them.