This makes communication with nontechnical staff even more difficult and can further feed the perception that IT staff is alarmist because it advocates proposals that, while technically elegant, are burdensome or otherwise unfeasible in practice. On the other hand, IT staffers are often reluctant to aggressively advocate enhanced security measures. It is hard enough for IT staff to meet all of the demands of modern business networks without taking on tasks that management does not consider a priority. The most obvious consequence of a lack of strategic planning is an underestimation of security risks, and a resulting failure to allocate sufficient time or resources to addressing them. Poor security often has no obvious impact on a business until something goes seriously wrong.Click here to read about why small and midsized businesses need to pay closer attention to network and data security. These habits tend to reinforce themselves over time; the longer it has been since anyone has had to deal with security, the less likely it is to end up on a budget or at the top of anyones to-do list. Meanwhile, staff is more likely to deactivate or circumvent various security measures in the name of convenience or new functionality. A less obvious but equally damaging consequence of an ad hoc approach is the haphazard misallocation of security resources. When security issues do attract attention, businesses without a strategic plan typically find themselves operating in "crisis mode" and are often unable even to assess the nature or applicability of the issue (never mind responding in a sensible, effective or cost-appropriate manner). This stance leaves businesses vulnerable not only to the various parties seeking to breach their security, but to unrealistic marketing pitches and media hype as well. Next Page: Reacting to a crisis.
Damaging security breaches often go completely unnoticed until well after the fact. In the absence of a strategic plan, it is all too easy to continually postpone addressing security issuesparticularly regular assessment and maintenanceuntil more urgent concerns are dealt with. Unfortunately, very few businesses ever run out of urgent concerns.