Security spending still lags because executives are ignorant. This isn't to say that spending needs to go through the roof in order to have secure IT equipment and data, it's just a matter of prioritizing the basics and implementing best practices. Not even the most wealthy organization can spend themselves into a secure position. It's an ever-escalating arms race than nobody wins...except maybe for the security vendor of record.

IDS/IPS, NIDS, UTM, CSM and all the other acronym solutions don't assure compliance despite what the vendor's claim. Ultimately a person must weigh objective facts and make a determination on whether systems are well-performing, secure and compliant. Because so many of the certifications today are vendor-specific, most of the practitioners only know a specific operating system and are completely ignorant about networking fundamentals.

Securing the network is worth the money. It's simply a matter of understanding what's it worth in terms of skilled personnel, time and money. There's a lot that can be accomplished with a powerful automated network auditing tool if only someone were to use it regularly, review the data and make changes accordingly: policy & user intervention.