Company management will always believe that security is a temporary problem which given time will subside.

They believe the risk will reduce or a 'silver bullet' is just around the corner.

They spend their thousands on security solutions hoping they will be the last, hoping that the security outlay will reduce as legislation matures and hackers are deterred by stiffer sentences.

There is even a hope that ISPs or some intermediary will police and govern activities on the Internet to prevent attacks and computer crime.

Let's face it, if we increased the custodial sentence for murder it would not stop people being killed each year.

Taking real-life crime as an example, we have plenty of prevention in place to guard against burglary, robbery, car theft, physical abuse etc. We also have a justice system that is designed to deliver punishment, and yet these crimes still take place.

Security is here to stay. And like real-life crime, unless you remove the targets and all motive and opportunity, it won't disappear.

Corporate mentality to security is as it is because computer-related crime is a relatively recent phenomena and the days when nothing was spent on information security are in living memory.

Securing an appropriate budget to protect your organisation can be a difficult task. Like insurance, it's hard to justify paying the premiums until such a time comes when you need to make a claim.

Businesses will have to continue to upgrade and evolve their defences to stay functional.

Risk assessments are still viewed internally in such a negative way, almost as if some evil force is trying to block the forward movement of the business. Security is to blame for the excessive time taken to change business process, infrastructure and systems development, but this is because security has yet to be absorbed into company culture.

I hear all the right noises, corporate statements and management saying, 'Security is everyone's problem' and, 'we take security very seriously', but I don't see a widespread change in the way security is viewed yet. The sudden international boom in security vendors and product offerings has caused some to view the industry cynically.

'Supply and Demand', I hear the vendors shout, but then they embark on a massive FUD (fear, uncertainty and doubt) campaign to increase awareness, fuelling corporate cynicism. On balance, vendors would not have to adopt such an approach if the corporate world were more responsive to the problems.

I've spread my share of FUD, that's what articles like this are, but we are in times of change and I hope the present time will be remembered for the period when businesses started to take security seriously.

I try to draw parity between other such requirements, like physical security or insurance and wonder if those areas had a similar battle to become accepted? I also tire of banging the drum and think 'Why bother?' But then an opportunity arises to show someone else the light and I take it!

The good news is that there are some businesses that are doing all that they should in terms of security, not many but more than a year ago, and so maybe the message is slowly getting through.

I just hope that these businesses and all future converts are onboard through their understanding of the issues and acceptance that security is a necessity, and not because they have suffered the impact of an incursion, seen the horrors first hand, lost downtime, lost money, lost respect and reputation, lost trust but managed to survive and quickly bolted the door!

I will end with a mesage to all corporate management and we will see where we are a year from now...

Businesses must invest in information security. This is not just a case of buying products, but real investment, education and process change.

They will have to keep spending on security, and their costs will probably increase because constant evolution of their corporate defences is required.

This will be the case as long as there is some change, be that to the threats, risks or nature and shape of their business.'

Phil Cracknell is chief technology officer of NetSurity