As far as most corporations around my neighborhood are concerned, the role of IT security is to keep the authorities at bay, so that business can go on as usual. Intelligently ran business realize that they need security to safeguard what I consider the most valuable asset of theirs in the modern service economy, their data.
So a security officer is always been drawn between the need for productivity, the need to assuage the authorities AND the necessity to safe guard the corporate infrastructure. Which leads me to “Too much security is a bad thing“.
If one designs systems and services so that they are “absolutely” secure, then it will come to pass that not even their designer can use them.Once upon a time I worked someplace where we created a log in/access system that required three different sets of passwords and three different hops through an equal number of firewalls to get to the target machines. It was and still is very secure on paper, but it made our life so difficult that we scripted automated log in systems to bypass all that cruft. Not to mention that uploading or moving files was a nigthmare of chasing spagheti SSH connections and we had to maintain three different firewall technologies.
Too much security annuls itself. It forces people into such stress that they find ways around it. A moderate, well designed IT security model where certain liberties are given, yet monitored, is a much better alternative. But that on another technical recipe of properly setting up an auditable bastion perimeter for data centers.