Organizations can view security postures as falling into one of the following camps:
An organization might have chosen a modest plan when it originally wrote its security policy, structuring its posture on the equipment and processes inherent in a modest level, as described in Chapter 4, "Putting It All Together: Threats and Security Equipment." Plans get set in motion, and normal-course business is conducted. Situations can occur, whether they involve malicious attacks by outsiders, inadvertent errors by insiders, or potential vulnerabilities that are recognized and plugged before they can become issues. An organization must respond quickly and effectively to every situation by ensuring that concerns are addressed directly, and any resultant change is promptly reflected in its security posture.
This process works well in theory, but it can be challenging to implement on a daily basis. When situations do occur, changes are made expeditiously, so the organization can quickly resume doing business. Making the security wheel a fundamental component of an organization's process ensures that changes made on the fly are always reflected in policy and, most importantly, that changes respect the posture the company already has in place.
Changes rarely occur in a vacuum; typically, one change begets another. For example, an organization faced with a particular situation might implement a variety of solutions to combat the problem, possibly resulting in the company moving markedly away from its modest security posture. If the newly implemented changes reveal that the organization is pursuing a posture that is fundamentally more comprehensive, the organization should ensure that related policies are changed to reflect a similar comprehensive structure. The concern is that an unplanned mix of modest and comprehensive security postures might leave the company with a sense that it is more secure than it actually is, and a false sense of security can be worse than no security. Firms with acknowledged low levels of security can ensure that users are particularly diligent in their dealings; those firms who think they have a high degree of security installed on their systems might be less concerned with employee activity. And that is where the seeds for great vulnerability are typically planted.
A continual rotation of the security wheel can ensure that a firm's physical and logical structure is created, implemented, and reviewed in a fashion that is commensurate with its desired security posture.