IT security awareness is at an all-time high, and organizations are spending and hiring in record numbers. Legislation and regulations are proliferating. Yet, for all this effort, nearly every statistical measure of IT security performance — from the number of incidents and vulnerabilities to the cost and impact of a security breach — is bad news. In what other endeavor would so much investment be permitted with such poor results?
