The belief that a company will never face a security or compliance incident is rather naive but still held by many business managers. They would rather maintain their reactive approach than invest time and money in a proactive, systematic approach. Should an issue arise or a business unit receive a high degree of public attention, the incident is addressed, and this process of doing so has come to be known as a compliance program.
To exaggerate this a little, imagine the following series of events:
Find out that you have an issue
Get management buy-in to throw money and time at the issue
Implement your solution as publicly as possible to show what a great job you are doing
Pray that the issue is truly addressed
In other words, what is happening here is that the issue is identified and addressed, but there is never a true assessment of the general environment or the value of the issue addressed.
Based on my experience, this reactive approach wastes time and money. Policies...