A fair amount of talk in the security industry involves whether organizations are being proactive, reactive, or some combination of both. Risk assessments can proactively identify threats/vulnerabilities while security devices (firewalls, IPS, anti-virus software, etc.) contend, and in most cases deliver, early detection and mitigation of security threats (real or suspected).
While most people would agree that assessments and security devices are necessary, convincing management to make the investment in them is a challenge. Regulations and industry standards (not just within the security industry) can help justify the investment, but is that enough? Obviously, in today’s economy cost is a big factor and, truth be told, some of these devices (and their implementation costs) can be expensive. Other than costs, what other “reasons” (good, bad, or otherwise) do organizations have that prevent them from taking a more proactive stance to information security?