If an organisation's top management is not adequately informed of the security status of all
business processes, IT systems, and applications (as well as existing shortcomings), insufficient
resources will be provided for the security process, or these resources will not be used
properly. In the latter case, this may result in one area having an excessive level of security,
while other areas have serious security shortcomings.
It is not unusual to find expensive technical security solutions being used incorrectly to the
point that they are ineffective or even pose a security risk themselves.