Large corporations will get it when there is a significant financial incentive that requires them to get it. They evaluate projects based on ROI, and the security industry has not provided the numbers that are required... just anecdotes. In small organizations there is usually one person that makes the decision, and they don't want their employees wasting time writing reports. Tell them the issue, and they will make the decision to implement it or not (the story didn't cover the hundreds of small organizations that don't get it either).

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/305/30834#30834