Self-actualization. The security team and management finally understand that allow-by-default and deny-by-exception policies will never work. Strict computer policies are enacted, end-user desktops locked down, and deny-by-default polices implemented everywhere. Corporate computer images are the only ones allowed on the network. Employees caught trying to circumvent security policy are fired.
Patches are thoroughly tested and deployed according to a criticality rating. Vendor software must meet certain security requirements before it can even be considered for purchase. All confidential data is encrypted by default. Laptops and PDAs must have bootup passwords and data encryption. Authentication is built into corporate logons, e-mail, and physical security.
Finally, both internal and external threats are minimized or nonexistent. The latest computer threat is only read about, not experienced.
The scenarios and steps in each stage of the Grimes’ Hierarchy of Security Needs are only examples. The main point is that all companies have some level of security maturity. All start from the beginning and move on to stricter phases, requiring more control and less freedom; internal and external influences drive the process. Where is your company?