Good article. Here’s the best excerpt if you don’t want to read the whole article.
“For a security program to be successful there needs to be backing from senior management. They need to support their staff. Enable security with the ability to execute and provide a safe framework for the enterprise to operate within. Security needs to be seen (and act) as a partner within an IT organization instead of an adversary. When half measures and evasion are relied upon by IT groups rather than doing things right the first time everyone suffers at the whim of the law of unintended consequences. It is far simpler to fix the problem in most cases than the waste energy trying to avoid it.”