If I had a nickel for every time I heard a networking professional say “I have a firewall, so my network is secure”, suffice it to say, I’d have a LOT of nickels. 10 years ago, firewalls were one of the primary ways you protected your network. But even then, it was difficult for the engineers to convince their managers, and then for their managers to convince the executives, that a firewall was necessary. They were costly and the mentality was “we don’t have an issue, why do we need it?”
Today, engineers, specifically security-conscious engineers, tend to stay current on networking security, vulnerability assessment, and the “how data might be compromised” - which is a daunting and never-ending task. A Security Engineer suspects how someone might gain unauthorized access to their network, and therefore they have methods of preventing or logging and reporting said access. These things take money and/or time to implement.
Managers will generally focus on both the benefits and cost of the engineer-proposed solution. They generally have a good understanding of what the engineer is proposing and the benefits of such a solution. They also understand what the executive level will and won’t do in relation to authorizing these types of projects, whether it’s funding or time-related constraints.
For those security projects that make it to the next level, the Executives tend to focus on the primary business objectives of the company rather than focusing on individual business units, such as Networking or Security. As a result, most security-related projects are done “post-mortem”, i.e. after an incident has caused an issue within the business.
The fact is that almost all businesses spend time and money on network security only after they realize there’s an issue, or if they are forced by a regulatory committee for compliance, i.e. HIPAA, SOX, PCI DSS, etc. According to the 2013 Data Breach Investigations Report (1), 92% of all breaches are performed by external sources originating OUTSIDE your firewall while 14% originated INSIDE (with 1% originating from trusted Partners). What this tells us is that a firewall is simply no longer enough to adequately protect a network.
(1) http://www.verizonenterprise.com/DBIR/2013/ - 2013 Data Breach Investigations Report