Security Awareness Lifecycle
Ignorance –> Epiphany –> Paranoia –> Depression –> Call to Action
Security problems solved, you hired a security guy. Your not concerned about security. All firewalls are in place, virus scanners scanning, data stored safely in the cloud and backed up daily.
You discovered your cloud provider hosts its servers overseas. This means your applications and data are entirely offshore. You comfort yourself by saying everyone else is doing the same thing. Each application security assessment you execute turns out fresh vulnerabilities.
Self-comforting really is not working well. You don’t sleep well at night. You try and consider the legal implementations of a successful exploitation that hits the popular press(but your not a lawyer). Where’s the chair you think your getting dizzy.
Moving applications and data back onshore is not an option — the genie likes to be free. You explain your concerns over and over again but your boss, Mr. Krabs, is focused on more tangible crises at the Krusty Krab. You realize your leadership is still in phase 1 — Ignorance. Security is an intractable problem and you’ve got an ice cream headache that just wont quit.
Call to Action
You take a cold shower and slap yourself back to reality. You realize the only way your going to win this war is education and raising the security awareness of others.
Am I missing anything? I know there should be a phase on the end to wrap everything up like Nirvana but since I have never hit that step I’m not sure it exists. Cheers!