I complimented her work. Her reply was that she hadn't done anything special. My first reaction was that she was being modest. Then I realized that she meant exactly what she said. To her, nothing she did in the normal course of securing her enterprise was special. It was all common sense and staying close to those security practices that make for a nice tight network.
There is a lot that we as security professionals do that is routine. We keep current on malware trends. We keep things patched. We follow the security world in general and watch the bad guys in particular. It's all in a day's work. And, if we do it right, our networks are pretty tight.
Every unsecure network I have ever seen was run in a loose, slipshod way. IT staff did not follow the general rules of security, the security team was an afterthought, and basics such as monitoring were ignored because they took time away from running the enterprise. When I've analyzed those networks and presented remediation recommendations, the client has been shocked to find out how little the already massive workload actually changes.
The implementation of the controls necessary to secure the network usually make network management easier and the net result is a gain, both in security and manageability of the enterprise. Security architectures, done right, extend rather than limit the general network architecture. Things get easier and safer, not harder. So why would anyone not do it right?
Well, what we have here is an educational opportunity. We need to make sure that our management and the IT folks realize that we, unlike that old saw about the government, are here to help. And all we need to do is "nothing special" as we do the normal day to day security tasks in order to get really special results all around. Of course, as with my colleague at the client, "nothing special" may mean significantly different things to different people.