But to be frank, that company and others like it aren't ready to listen to my spiel about all the current security risks and how I'm going to make their network perfect. It was all I could do to convince them that it would be nice if a law office holding lots of confidential client information required log-ons to get access to internal data and installed an Internet firewall.

And that's where Grimes' Hierarchy of Security Needs comes into play. Whenever I enter a company for the first time, I quickly try to measure its computer security maturity. Often I can do this in a few minutes. Mentally, I've classified them into five stages, much like Maslow's Hierarchy of Needs, based on their approach to security.

Stage one

In Stage One, no one thinks about computer security at all. Passwords are short and shared log-ons are common, no firewalls are installed, and the only anti-virus software they have came preinstalled on some new machines (and hasn't been updated since). Nothing is encrypted or authenticated. Infected and compromised machines are so common that most employees keep using them even when they know they have problems.

Eventually the e-mail worm outbreaks come back-to-back, compromised systems are discovered, and machines are constantly down or slow because of malware attacks. One day a big security event happens, a client or management gets really upset, and both IT and management wake up to the problem.