At one large organisation they had a virus circulate throughout their internal network, most likely introduced from a laptop which had been take home and connected directly to the Internet. While the security team spent days cleaning up the mess, they were powerless to prevent users and managers from taking home their laptops and connecting them to the Internet.
In his book “Practical Unix and Internet Security,” Professor Gene Spafford of Purdue University spells out Spaf´s first principle of security administration: “If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.”
This is a perfect description of almost every IT security operations team that I´ve met. It is very difficult to efficiently work in any situation where you are frequently faced with problems which keep re-occurring and over which you have no control. And it leads to immense levels of stress in people.
For instance, lets look at viruses and worms which commonly attack Windows-based PC. these things have been in existence for many years now, they are well understood ( save for new subtle variations ) and there are many tools and products available to defend against them. However, time and again companies are infected, and in some cases, totally overwhelmed by viruses. There is no excuse for this happening – save for the basic human factor of negligence.