My top 10 reasons about why companies don’t move security projects into being a priority, in no particular order.  These came from my experience and no scientific evidence or poll.

1. Concerns over User Complaints: Users scream when they can’t get to a “business related’ website.
2. Concerns about Usability: Management wants to make sure users can get to what they want to do their jobs.
3. Performance Concerns: Encryption will just slow down our computers.  We don’t want the performance hit.
4. Lack of Understanding: That technology probably won’t work with our software package.
5. No Internal Bandwidth: We just don’t have the available resources to work on that stuff right now.
6. Money is Tight: We aren’t allowed to spend any money right now.
7. We are too Small: No one will care about us because we are just a small organization.
8. No Mandate from Audit:  Audit didn’t tell us we should do it so we are okay if we just ignore it for now.
9. Where to Start:  We have a lot of things we want to do but we need to put a complete plan in place before starting anything.
10. No Pressing: We have other more pressing projects this year but we can consider it for next year.