Many organizations are opting to define security policies based on regulatory requirements, however the result is that their security postures become very quickly out of date. With new threats emerging weekly, the time lag inherent within the regulatory creation and implementation process is an obvious problem. Despite this obvious. vulnerability, organizations are actually moving towards a. first model, rather than a. security first. model, and businesses that fail to. listen will pay the price, however, by taking a. compliance-first approach,. organizations are effectively advertising their security. posture to. hackers.”]