10. They do not have a written, vetted, business-focused and communicated strategic plan that is readily available for viewing.\t8. They continue to deploy technology while solving few problems (if it is not sexy\u2026. what?)\t7. They continue to cry wolf-using FUD at every turn.\t6. They submit budgets that do not fully define a return on security investment aligned to a strategy and program.\t5. They run a closed shop where loyalty is valued higher than openness and integrity.\t4. They do not listen to the heartbeat of the business instead gloss over issues as solved when in fact they are setting up corporate officers for embarrassment and failure (aka RSA).\t3. They have not driven configuration management as a core IT value.\t1. They still allow Security 101 issues to exist even though informed of the problems months and years before, for example allowing FTP to flourish throughout their environment.