Which category your organisation belong in security?

1. I don’t give a f**k

These organizations don’t really care, they have open ports and systems,
weak passwords, weak security controls, security implementation is not
anybody responsibility.

In most cases they think that security is already done by somebody else: service provider, system provider, operating system provider or just anybody out there. They get hacked,
usually several times before they even know about it and funny enough,
they usually continue same way as before. Sometimes this can be
effective strategy when systems can be quickly replaced or removed and
no confidential data is lost, but these organizations with weak systems
are providing platforms for botnet controllers without event knowing
about it.  

2. Neurotic

These organizations does not have understanding of essential security
controls. They try to control security here and there without planning.
They get scared of all security related media news and usually does not
apply proper audits because they are afraid of results.

3. Reasonable

These organizations have knowledge howto evaluate their systems and are
capable of putting proper security controls in place. They also have
proper controls in place to handle different types of security events
and have quick recovery time. They know what is acceptable level of risk
for their business and have systematic approach to evaluate security
controls.    

4. Exploit sources

These organizations purposely add ‘secret’ backdoors to their systems,
like Zyxel backdoor with username and password or they are companies
that sell and develop unpublished zero day exploit info to questionable
buyers.