Every parent who has taken a lengthy trip with children is familiar with the question "Are we there yet?" As a child, you probably asked the question when the length of the journey exceeded your interest in making it.

Today, many firms have a similar impatience with their information security--or "infosec"--strategy. A major source of CIO frustration is the lack of clear end point for infosec. "Security practice is completely up for grabs in terms of definition, available software, process, reasonable cost and executive appetite to adopt," says a former telecom firm CIO who now serves as a midsized-company consultant. "Everyone I talk to is unclear [about] what will be required as part of enterprise risk assessment."

We contacted 135 companies (62 large and 73 midsized firms). The consensus among respondents is that security challenges create serious company misalignment. Firms exhibit various disconnects between infosec strategy and the enterprise, particularly the following:

• the security strategy and the enterprise strategy;
• the security strategy and the implemented program;
• security technologists and the enterprise as a whole;
• basic security literacy and senior executives;
• true spending on security and optimal spending; and
• the practice of security and day-to-day operations.