Technology vendors want to sell a complete product, but it's really not possible to buy your way into a secure environment. That takes a bigger commitment. "It's all about user awareness and procedures," Stead said. That means teaching employees about risky online behavior; and building a security team that can get the most out of the security tools it has.
According to Priority Health's Melson, the problem extends beyond the security companies. "If you're going to hold the security industry responsible, you have to also hold the operating system and client software vendors at least as responsible," he said. "You've got platforms that still make it possible for someone to make software that's not part of the design, and not known to the end user."
"I think that at the end of the day the lesson you get from something like the Aurora incident is that you have to have incident responders," Melson said. "If you're not prepped for incident response and incident containment, if you're not using actual people to do security analysis in your environment, the advanced persistent threat is going to walk right through."
Sign up for CIO Asia eNewsletters.