There is a problem that Michael Mimoso sees with IT security, and it has to do with expectations. To put it simply, IT security is expected to consistently improve and expand, but without the support or monetary backing of the organization. Instead, the IT security management has to beg, yell, or “hold their breath until they turn blue” just to get funding for a solution years old: Ideally, those things should be overhauled because they don’t work anymore. But the Titanic couldn’t turn on a dime 100 years ago, and neither does big business today. Other priorities that make money get the attention of business decision makers before budgeting for the latest and greatest security widget is stamped “approved” by the CFO or CEO. Taking shots at security managers who are handed a budget that essentially maintains the status quo does nothing to advance the industry. Taking shots at security managers who have no choice but to listen to auditors first does nothing to advance the industry. The solution isn’t pretty: either IT security professionals have to learn how to better communicate the value of what they need to executive management, or they need to accept that, in the end, it’s the will of their boss what squeaky wheel gets the grease.