10. They do not have a written, vetted, business-focused and communicated strategic plan that is readily available for viewing. 8. They continue to deploy technology while solving few problems (if it is not sexy…. what?) 7. They continue to cry wolf-using FUD at every turn. 6. They submit budgets that do not fully define a return on security investment aligned to a strategy and program. 5. They run a closed shop where loyalty is valued higher than openness and integrity. 4. They do not listen to the heartbeat of the business instead gloss over issues as solved when in fact they are setting up corporate officers for embarrassment and failure (aka RSA). 3. They have not driven configuration management as a core IT value. 1. They still allow Security 101 issues to exist even though informed of the problems months and years before, for example allowing FTP to flourish throughout their environment. Related content opinion The Sandbox - RSA Conference 2014 - San Francisco By Jeff Bardin Feb 24, 2014 3 mins Technology Industry IT Leadership opinion NY Times Story on Snowden Way Off the Mark Snowden story worthless - Basic IT protocols ignored - By Jeff Bardin Jul 05, 2013 2 mins Data and Information Security Network Security opinion Maskirovka – Tactical, Operational, Strategic Deception "The Op is in Motion" By Jeff Bardin Apr 29, 2013 4 mins Physical Security IT Leadership opinion Is this gun smoking? Certified Unethical Training http://attrition.org/errata/charlatan/ec-council/eccouncil_emails.html By Jeff Bardin Mar 15, 2013 14 mins Social Engineering IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe