When i was reading book on Linux Security: Craig Hunt Linux Library By Ramón J. Hontañón, I got very beautiful terms of Information security.
“Security is not product. It is not software, and it is also not simply an excuse for a consulting engagement. It is a discipline that needs to be taken into consideration in any decision that you make as a network and system administrator. Security does not start or stop. You cannot install security, and you can’t even buy security. Security is training, documentation, design decision, and appropriate implementations. And the most important aspect of security is monitoring and honing your security policies as needed.“
Well many organization follow the security auditing VAPT task, but they don’t follow the security policies. Even they miss to organize security training for their employees. they create disgruntled employee, may be due to senior authority ego, attitude etc.. and that is the loopholes for that company to data leakage.(See my earlier article)