It was IT's dirty secret: Spending millions of dollars on security products such as firewalls, antivirus and intrusion detection bought companies little more than ticks in an auditor's checkboxes. Greg Shipley, a respected security consultancy CTO, laid that secret bare in a parting manifesto before joining In-Q-Tel to help the U.S. government spot innovative tech startups. The result: our cover story titled "Epic Fail." Some vendors cried foul, but Greg backed up his thesis with extensive testing of five major antivirus suites that showed detection rates of no better than 30%. His message that you can't buy security came with an action plan. Spend on controls in line with threats. Get realistic about detection. Reward innovative vendors. Know when tech isn't the answer. Since then, the strategy of focusing on risk, process and awareness training has caught on.