Viruses and spyware are finally under control. External threats are minimized. Then an employee is caught hacking the system and an IT manager is caught reading management's e-mails. Internal threats become a very real problem.

Stage four

Management tells HR and IT to work on computer security policy, and to penalize employees who fail to follow proper guidelines. Some sort of industry guideline or legal compliance legislation (http://www.infoworld.com/article/05/12/08/50FEcomprisk_4.html) (HIPAA, SOX, GBL, and others) kicks in, adding to company security policy. Passwords are complex and changed once a quarter. Dangerous e-mail attachments are blocked at the gateway.

External consultants are frequently hired. IT is interested in buying IDS, IPS, and other cutting edge technologies that promise the world but always under-deliver. The security team is actually brought in at the beginning of projects, and software developers are trained in secure coding.

Security is being considered by all members of the IT team, and management fully backs the IT manager and the security officer on all major decisions. The oversight audit team works in conjunction with IT security to perform internal audits and prepare for external assessments.