The stuff they use to protect the organization is, then, at risk itself. Now, I have to ask myself, "why would an organization spend a bunch of money on, for example, an IDS, and leave the IDS itself vulnerable?" The answer, I think, is: time, money, training.
New regulatory pressures have caused some organizations to buy additional security and privacy tools. Often, these organizations have limited resources to manage information security, so the tools are installed and the hope is that by their presence alone security will improve. Often, for now, this is the case, but organizations need to protect the protection they use.
I was teaching a class recently in which I commented on the validity of intrusion detection logs as evidence, and made the point that logs needed to be protected from malicious alteration.
To one student, the idea that an IDS would be installed so that the console was on an out-of-band fiber network and the sensors stealthed to the outside was normal. Another student had never been exposed to the concept. This is the fault of the IDS developer for not providing the appropriate training on deployment. It is also the fault of the organization for not demanding that training or seeking it elsewhere.
A tick-box mentality is insufficient to protect information assets. This mentality says that as long as you can satisfy the auditors, you have taken some information security steps, no matter how trivial, you pass the audit, and passing the audit is all that matters.
If you apply that approach and you get hit, you're toast – for two reasons. Your assets are not really protected, so you will experience a loss at some level (I know of losses of nearly a billion dollars under these circumstances). Also, you and/or someone at a higher level will be seen to have breached your fiduciary duty to protect organizational assets, and the law suits will just keep on coming.
Halfway measures to protect information assets are no longer acceptable. Protect the protection, and train the people who protect the organization's assets.
Peter Stephenson is director of information assurance for CeRNS, The Center for Regional and National Security, at Eastern Michigan University