11. We still see an extreme lack of maturity in the IT space for foundational elements. IT shops don't know what assets they have, how they are configured, who has access to them, or how and when they were changed last and by whom. Software is not written with closing holes in mind nor written (and I really hate this misnomer but have to use it for understandings purpose) securely. There is no such thing as secure code only code that has been properly written, tested and validated to do what it says it is going to do and only that no matter the input. Monitoring is incident driven and projects are not run with full-fledged project schedules including dependencies, slack, costing, (and even a mention of earned value management).
12. And then there is #12 who by the time they have read to this point are completely incensed at the above words largely since they are part-of-the-problem.
To cover the 12 areas without the narrative:
I have been in this game for nearly three decades. Almost every IT program encountered, every information security organization engaged, the problems remain the same. You can close your eyes and hear the same people making the same excuses, deflecting the same issues today as they did and have for 30 years. The CISO is held as the scapegoat. The CISO is shot for communicating the message. The process of communicating the message becomes the target for remediation. True causal analysis is not performed only analysis to keep the finger pointed at the wrong individual or group. All while IT and the CIO skate away on the thin ice of the new day (thank you Jethro Tull).
Sign up for CIO Asia eNewsletters.