A lot of people are only concerned with security because they have to be to comply with rules and regulations. Although I'm not a fan of the
over-regulation that sometimes appears to permeate our lawsuit-happy society, I have seen some good effects of, for example, the Sarbanes-Oxley legislation. Due to the requirements of Sarbanes-Oxley, many superfluous IT projects are shelved and the ones deemed appropriate are spec'ed out much more meticulously on the front end -- as they should be.
To explain this another way, IT professionals have been howling about onerous project demands for years, e.g., constant tweaking of automated reports, lack of support during design phase, lack of user testing and sign-off, no attempt to define requirements. Going to a "release model" of software improvements was only done at one company I've consulted with and they had 30 people in the IT department. Smaller IT departments don't possess the clout to promote agendas to management, moreover IT professionals are often not the best evangelists for proper application design and implementation. Incredibly, it took two Washington politicians who probably know nothing about application software design to inadvertently help solve our problem by forcing us to follow documented procedures.
The implementation of formal data security policies should not be considered to be different than other IT projects
or other security projects. Establishing application architecture security is just as important as the lock on the check safe or, as I've mentioned before, the lock on the President's or CEO's door. But in the past having the system "up and running" was the finish line at which we went back to replacing bad cables and resetting forgotten passwords. The reality of "up and running
securely" should be considered the goal in today's security-conscious IT department. And then we can comply with whatever new mandated security regulations "they" come up with -- by default!