I'm beginning to think that many corporations establish online systems without ever doing a serious 3rd party security audit and then penetration testing, plus using whatever real time monitoring tools they can to detect and stop intrusions.
I worked with a company that used TrustWave for their 3rd party pen test. The TrustWave person was ... okay ... but he was only allowed to "test" for 5 work days (Mon-Fri) not counting travel time (no Mon morning or Fri afternoon). Or evenings/nights (take his laptop to his hotel). So, in total, less than 40 hours before declaring the system "secure" enough.
A real cracker could rack up double that in a 3 day weekend. Even with only one compromised machine.
And the "real time monitoring tools" usually only detect the script kiddies. Which is a positive step. Just not enough of one.
I think that the core problem is that "computer security" as a concept is way beyond the cognitive capability of most management types.
It really comes down to YOUR skills in PROTECTING the systems
v
the skills of EVERYONE in the world who can script automatic ATTACKS against those systems.
So right from the beginning YOU are at a disadvantage. Then YOU also have to COMMUNICATE the risks and requirements and costs to management. Every single day that you are NOT cracked (or the crack detected) means that YOU were wrong AGAIN about the risk of not spending $X on sub-system Y.
And management types do understand the concept of "inflating" your budget/status by overstating the real risks/rewards.