It has not been my experience that this is what most IT security orgs say in practice.
It's usually "No, unless we do it" followed by "And we don't have time to do it."
Which is fundamentally because they're a cost center, and typically staffed like one.
It has not been my experience that this is what most IT security orgs say in practice.
It's usually "No, unless we do it" followed by "And we don't have time to do it."
Which is fundamentally because they're a cost center, and typically staffed like one.