List vs. List?

A recent TechNewsWorld.com article ascribes to Robin Bloor, a partner with a consulting and research firm, the view that antivirus software is "irrelevant" to computer security, as it represents a reactive and ineffective approach to malware. It also attributes to him the view that "[t]he correct solution to the problem" is a whitelist (rather than blacklist) approach, authenticating software before it runs.

While the article goes on to note that others concerned with online security also see virtues in whitelisting, it inadvertently sets up a false dichotomy, by suggesting that enterprises must choose between whitelist and blacklist approaches in selecting security solutions. Perhaps the competing claims of vendors that offer different solutions has something to do with this. Nonetheless, CIOs who select and implement network-security measures should put themselves in the shoes of Ansel Adams. Adams never relied on a single hue -- black, white, or gray -- in composing his masterworks, and neither should an IT department in choosing security solutions. The "right" solution may require a variety of security "shades" -- blacklist, whitelist, graylist, or a combination thereof -- as well as other elements that create a fully integrated approach to security.