Hurrah! Not
Wonderful! Grand! Well done! Except.................
Buy all the 'security technology' in the world - even go so far as to install it (and that's not a given). My goodness, I've even heard of companies so radical as to provide resources to sustain the 'security technology'. But it's still all for naught if we don't have the framework, processes and education to support it.
There are still too many companies and organisations out there in 'check the box' mode. "We should have an IDS? Check." "Oh, we need DR testing? Check." These types of enterprises happily slap in their 'security technologies' without regard to standards or internationally-accepted codes of practice, check the box and merrily go on to the next thing.
The results of this are simple. Without education, standards and a strategic, 'defense-in-depth' approach to security the only difference made will be to the expense column of the budget.