Probably one of the more relevant reports on how to avoid typical security programme pitfalls you'll read.
One excerpt from it so true:
Organisations should strive for adherence (active participation) rather than compliance - rapidly emerging
threats require employees who are engaged and willing to step up. Organisational leadership has a key
role in developing effective and workable security - by helping security specialists to fit security into the
business, breaking down silos and leveraging other organisational capabilities (safety, HR,
communications) - but not least by setting the tone and leading by example. Measures to improve security
behaviour should be an ongoing, iterative process - the human factor in cyber-security is never ‘solved’,
and there is no simple ‘solution’, but human skills and knowledge, rather than vulnerabilities, can be made
to work in favour of an organisation’s defensive cybersecurity.
So very true. An organization won't be adequately secure unless it's culture is geared properly, for which senior management must support a strategy that aims to achieve this...