It has been used in S4x13 theme. This blog is part 1 of 2.
Most often, security technology sales send security alerts to top management to demonstrate their value preposition.
Top management is likely forward this “intel” to cybersecurity management team simply with “Please handle” to relieve their obligations from getting intel but do nothing.
Cybersecurity management team obtains this directive, then drives the ICT/ICS workforce to apply the recommended work around (change system configuration, apply security patch) and compiles a dashboard for reporting completion status.
The ICT/ICS workforce dare not to say no but to accommodate such executive order at extra work load from routine work.
This isn’t an effective cybersecuruty management. The proper means is to assess the threat, current protection and business consequence.
The “Now, Next, Never” in S4x19 best describes the correct attitude.
So, if not now, could be next or even never.