Many organisations create a security concept, but fail to communicate its contents beyond a
small circle of people. This leads to a conscious or unconscious failure to comply with
requirements in situations where organisational time and effort would be required.
Even if a given security concept contains strategic objectives, these are often regarded by the
organisation's top management as just a collection of declarations of intent. The resources
then made available to achieve these objectives are often insufficient. It is also often wrongly
assumed that security is automatically maintained in an automated environment.
Without strategic guidelines, there is often an unstructured response to instances of damage.
This means only some aspects can be improved in the best case scenario.