… security is not a product that can be purchased off the shelf, but consists of policies, people, processes, and technology.
I totally agree with the above. At my current place of employment I was brought in for two reasons: research, purchase, install, and configure a scalable server farm and to rework the current security policies and methods.
I’ve since removed access from most servers for anyone who is not an administrator, created a DMZ, put firewall rules into place, closed ports and services, etc. The thing that amazes me most is that some of the coworkers have complained about the new measures I’m taking. I guess laziness and lax security go hand in hand.