Early security assessments and action plans were basic in nature. This was due to the fact that when these plans were written many of the security rules were not released. Therefore, there was no way to understand the exact level required to meet compliance standards. For this reason, security recommendations and implementations took shape as a proactive or reactive approach. Which plan took place depended on the vendor, their product and how well they convinced an already confused audience.
These two approaches served as a foundation by providing better security for organizations in the beginning as they increased security and security IT infrastructures compared to what many originally had. Because of the continuing increase in electronic and physical risks to organizations, sole dependency on one of these earlier approaches could present problems for the organization.