Still, some security events happen. Some employees are still opening every file attachment no matter how many times you educate them. Eventually, a confidential database is breached from the outside, and tracked to a compromised internal employee's computer. All they did was install the latest cool thing off the Internet.

Stage five

Self-actualization. The security team and management finally understand that allow-by-default and deny-by-exception policies will never work. Strict computer policies are enacted, end-user desktops locked down, and deny-by-default polices implemented everywhere. Corporate computer images are the only ones allowed on the network. Employees caught trying to circumvent security policy are fired.

Patches are thoroughly tested and deployed according to a criticality rating. Vendor software must meet certain security requirements before it can even be considered for purchase. All confidential data is encrypted by default. Laptops and PDAs must have bootup passwords and data encryption. Authentication is built into corporate logons, e-mail, and physical security.

Finally, both internal and external threats are minimized or nonexistent. The latest computer threat is only read about, not experienced.