A couple weeks back, a friend asked me over martinis (Belvedere vodka, extra dry, two olives, chilled glass, thank you very much), “what are the single largest contributors to good security or bad security in your environment?” I believe my answer surprised them. The single largest contribution to a good security program is due to the security 
professionals you have working in your environment.
1. They bring a planned methodology to security program planning, which helps make you think strategically, not tactically; you might think, "treat the disease instead of the symptoms".
2. Since they are planning ahead, this usually means planning instead of reacting - always a good thing when you can avoid a problem before it arises.
The single largest contribution to poor security is…
Yes, the security professional. Hopefully it does not happen too often, but like any proud professional, sometimes we take ourselves too seriously, and sometimes we take the job too seriously. People I work with have often heard me use the words "Security Nazi". The analogy is not perfect, but the message comes close - they create more problems than they solve. This is in part because they solve the wrong problem, they often spend money unwisely (more for a pet project than for any purpose that really serves the company), and sometimes they are just intent on winning a power struggle.
Once upon a time, I worked for an organization in the U.S. Government. Part of the process for my organization was that the Office of Security (OS) had to sign off on any project before anything could be put into production. Unfortunately, OS knew this. They actually had a plaque next to their main office door which read “The answer is ‘no’.”
I mentioned in an earlier blog that one company I knew had installed a $400,000 biometric system everywhere. That had ultimately been the decision of a seasoned security professional, even though it was clearly not the best use of that money.
In another case I was talking to a CISO about PCI compliance. She had ultimately decided what their compliance strategy was going to be. I pointed out that they were doing way more than they needed to do in order to be compliant with PCI. If they had stopped with control "A", they would have been fully compliant with the line item PCI requirement. However, she chose that their implementation was "A", plus "BCD". So, while "BCD" were indeed nice security measures, it was way more than they needed and effectively tripled the cost of reaching and maintaining compliance. And, by the way, nothing in PCI even suggested "BCD", she was just using PCI as the club to help her get them done.
And, unfortunately, the above are some examples of the impact that misguided security professionals can have. We [the security professionals] have to strive to help make the right decisions because they are truly the right decisions. The ultimate job of security, after all, is to make things easier for all employees. We enable your employees so that the company can meet the goals of their mission: getting the job done, while protecting our cool information, is it not?
