Too many IT departments take the stance of “I’ll worry about it when I have to worry about it.” Problem with security issues is, by then it’s too late. Often times maintaining the status quo is as dangerous as doing nothing at all.
In my experience there are two types of enterprise IT departments -those that maintain the status quo and those looking to continuously explore and improve.
It is truly unfortunate how many fall into the former category. But the problem with IT security is that it’s an ever-evolving and moving target. So the decision to not dip your toe in the water and understand all available options could mean the difference between a panicked 3am call regarding a breach alert or a good night’s sleep.
I realize this is an over generalization, and oftentimes the decision to “stay the course” is not in the hands of IT. There are budget concerns. There are personnel limitations. There are higher perceived priorities. There are complex layers of interdepartmental decision making. So, if it ain’t broke, don’t fix it…right?