IT security is a complex and competitive endeavor. Attempting to address individual issues without a clear and consistent sense of the larger picture is like trying to play chess without being able to see the board.
Nevertheless, businesses large and small continue to tackle problems and potential problems on an ad hoc basis, facing them one by one once they are perceived as crises. As a result, they not only end up with bad security, but spend far more than they should in the process.
So, if this is such an obvious and common mistake, why do people keep making it?
First of all, contrary to common belief, information security is not a technology problem. While it has a major technological component, it is a systemwide issue that touches on nearly every aspect of business practice and planning. As such, strategic planning requires an active collaboration between IT and management staff.
IT staff needs to educate management about the nature and degree of security risks, plan appropriate responses, and weigh the technical benefits and costs of various defensive approaches.
Management, on the other hand, needs to work with the IT staff to make informed decisions about appropriate levels of risk tolerance, review nontechnical security measures, and incorporate both technical and nontechnical measures into broader business practices.
This kind of collaboration would be exceedingly difficult even under the best of circumstances. And security issues definitely do not present the best of circumstances. While good security may prevent serious losses, it very rarely brings in money. Security risks, moreover, are notoriously difficult to predict and quantify.
As such, management staff tends to view preventive security measures as something of a luxury, particularly if they have never experienced a major security breach. Indeed, they often tend to view IT staffers who advocate for improved security as alarmist or paranoid (though, to be fair, this view is not always unjustified).
IT staffers, for their part, often fail to place security concerns in context, focusing on technology issues to the exclusion of all else.