IT security is a complex and competitive endeavor. Attempting to address individual issues without a clear and consistent sense of the larger picture is like trying to play chess without being able to see the board or any of the pieces.
Nevertheless, businesses, large and small, continue to tackle problems and potential problems on an ad hoc basis, facing them one by one once they are perceived as crises. As a result, they not only end up with bad security, but spend far more than they should in the process.
If this is such an obvious and common mistake, why do people keep making it?
First of all, contrary to common belief, information security is not a technology problem. While it has a major technological component, it is actually system-wide issue that touches on nearly every aspect of business practice and planning.
As such, strategic planning requires an active collaboration between IT and management staff. IT staff need to educate management about the nature and degree of security risks, appropriate responses, and the technical benefits and costs of various defensive approaches.
Management, on the other hand, needs to work with the IT staff to make informed decisions about appropriate levels of risk tolerance. It also needs to review non-technical security measures, and incorporate both technical and non-technical measures into broader business practices.
This kind of collaboration would be exceedingly difficult under of the best of circumstances, and security issues definitely do not present the best of circumstances. While good security may prevent serious losses, it very rarely brings in money.
Security risks, moreover, are notoriously difficult to predict and quantify. As such, management staff tends to view preventative security measures as something of a luxury, particularly if they have never experienced a major security breach. Indeed, they often tend to view IT staff who advocate for improved security as alarmist or paranoid (though, to be fair, this view is not always unjustified).
IT staffers, for their part, often fail to place security concerns in context, focusing on technology issues to the exclusion of all else.
This makes communication with non-technical staff even more difficult and can further feed the perception of IT staff as alarmist by encouraging proposals that, while technically elegant, are overly burdensome or otherwise unfeasible in practice.