"Organizations that take the proscriptive approach see security standards as 'to do' lists, when in fact they are only suggested frameworks," Weise said. "This approach will never work as it simply does not consider the organization's particular needs."

Weise said that organizations should build specific security architecture for their particular IT infrastructure that is applicable to business and technical needs.

To build security architecture, the organization should consider an 'adaptive security' approach, Weise said. "Adaptive security is a framework for elaborating a comprehensive architecture that enables cost effective risk management for threat containment," he said. "It also seeks to improve operational efficiency and system survivability."

Business complexity

According to Weise, Sun's chief technologist office team came up with the concept of adaptive security, based on works by others.