Eventually the e-mail worm outbreaks come back-to-back, compromised systems are discovered, and machines are constantly down or slow because of malware attacks. One day a big security event happens, a client or management gets really upset, and both IT and management wake up to the problem.
In Stage Two, management and IT agree to get more serious about computer security. Anti-virus software is purchased for e-mail servers or installed on user desktops. A network firewall is installed (but with an allow-by-default rule set), password lengths increase, and end-users are educated about the most common threats. An existing employee is told they are in charge of security, but in reality they have little to no authority and their major job task is assigning and removing passwords to multiple systems.
Management thinks it has addressed the problem. Worm and spyware outbreaks happen less often, but the entire system still goes down a few times a year. If a major worm or virus gets announced in the media, it always hits the company badly. Another major security event happens, just as bad as the first one. Things aren’t fine.
This is the first step into what I think is a real security environment. A real security officer, with a security certification or training, is hired or created. All employees sign an acceptable use policy when they are hired, and passwords get longer and are required to be changed at least twice a year. There's a focus on automating computer security. Anti-virus software is installed on all desktops and automatically updated from location-specific servers, patch management software is utilized, and additional scanning programs to find malicious software are set up.
Viruses and spyware are finally under control. External threats are minimized. Then an employee is caught hacking the system and an IT manager is caught reading management’s e-mails. Internal threats become a very real problem.
Management tells HR and IT to work on computer security policy, and to penalize employees who fail to follow proper guidelines. Some sort of industry guideline or legal compliance legislation (HIPAA, SOX, GBL, and others) kicks in, adding to company security policy. Passwords are complex and changed once a quarter. Dangerous e-mail attachments are blocked at the gateway.
External consultants are frequently hired. IT is interested in buying IDS, IPS, and other cutting edge technologies that promise the world but always under-deliver. The security team is actually brought in at the beginning of projects, and software developers are trained in secure coding.
Security is being considered by all members of the IT team, and management fully backs the IT manager and the security officer on all major decisions. The oversight audit team works in conjunction with IT security to perform internal audits and prepare for external assessments.
Still, some security events happen. Some employees are still opening every file attachment no matter how many times you educate them. Eventually, a confidential database is breached from the outside, and tracked to a compromised internal employee’s computer. All they did was install the latest cool thing off the Internet.