Penetration testers trained to find ways to gain access to corporate systems point out that the best defense is often end users, if they are made aware that security is a top priority. Chief information security officers often put plans in place to help create a culture of security at businesses. But it takes time, according to the Ponemon Institute. Building a sense of security into end users cannot happen with one-off training programs -- there needs to be a systematic and consistent security program over an extended period of time, according to the Ponemon Institute. Organizations with a strong security posture according to its benchmarking measurements were able to contain costs when a data breach took place.