Dave, not trying to start an argument. It sounded as though you were saying that there is no point starting now as it is already too late but I now think you may have meant that there is no point after a breach has been committed. I guess it may be too late after a breach has been committed but a resolution still should be attempted.

Steve, sorry but I disagree. Yes, examples should be complete including best security practices where appropriate, however, it does have an impact on effort. Security needs planning, design and testing. Also it may need infrastructure as well as investment in hardware and/or software. Then there is maintenance, management and training. And after all that I still believe it is a sound investment.