In my experience, most companies' position on computer security goes through a series of evolving steps that I can only equate to Maslow's Hierarchy of Needs (http://en.wikipedia.org/wiki/Maslow's_hierarchy_of_needs) from basic safety to self-actualization. All IT processes go through this sort of trending, truth be told.

A related example is how a company ends up forming a help desk team. When the company is small, it has just one IT person. As it grows, another person or two is added. Usually at this stage, employees know to contact the first IT guy (the IT manager), who triages the call and assigns it to a team member. As the company grows, more IT employees join the department.

Pretty soon, the company's employees have each of the IT members' personal cell phone numbers (used to be pagers) and call them at will. Each IT employee is running off here and there based upon the whims of the employees, with little thought to efficiency.

Eventually, somebody figures that all the incoming calls should go to a common number so a triage decision can be made, and a centralized help desk is born. A little thought and planning ends up saving the company time and money, and makes the help function more efficient.

The same thing happens in computer security. Some companies, like a law office I visited last week, don't have a clue. They are running a workgroup network full of Windows 95 computers with no log-ons, no anti-virus, no patches, and no firewall. Clearly a disaster already in progress.