- "We can save the money on firewall, because we will have an excellent IPS deployed next week.", said CIO.
- "We hire the consultants to create the policy for us, and we will pay them to audit our PCI compliance status later on. So I know we are safe.", said CISO.
- Disable the "change password" capability. This helps users from forgetting their password and save us from having to reset for them.
- Limit the event log size to 3MB in order to avoid the hard disk full.
- We're just too big to FAIL.
p/s: All the "advice" above are what I collected (in real life) over many years of working experience. This is not the recommendations they themselves made.