An excellent article at CIO Insight in their "Expert Voices" column concerning IT security. The article is titled, "IT Security, Reconsidered":
Business people know risk and return are opposite sides of the same coin; you can't have return without risk. So successful companies learn to analyze, accept and manage risk…most kinds of risk, anyway. When it comes to IT risk, organizations tend to focus on avoiding risk instead of managing it, by preventing intrusions and preparing to respond to catastrophic events. But instead of protecting companies, this approach to risk has blindsided IT to a long stream of IT disasters, from system meltdowns (Comair, Jet Blue) and stolen credit card data (TJX, CardSystems Solutions) to pilfered laptops (Veterans' Administration) and stolen data (U.S. Department of Transportation). Putting IT security back in the context of risk management has been the focus of George Westerman's work.
This year at work I have spent close to half my time dealing with a lot of IT security. I have not only been kept busy with locking down the network but also with way too much paperwork certifying that our machines are secure. When you spend so much time making the paper pushers happy that you're following the latest policies it hard to actually really identify the true risks that don't show up on paper. More importantly, spending so much time on IT security not only locks out the would-be hackers but also locks your IT staff out from adding potential IT value to the operations. There has to be a balance somewhere...