It has become clear to me there is a difference between how IT and Operations approach security. The IT security organization is very focused on security, sometimes to an extreme. The Operations organizations generally pay lip service.
A homespun example is the home with doors and windows (not Microsoft). The Security organization will look for every door and window to make sure they have the same high price locks and the locks are on regardless of the economic risk from the specific door or window. The Operations organization will make the same inspection. However, Operations will ask if any of the doors or windows have been burglarized. If the answer is no, they will say the probability is too low to put a lock on until AFTER the burglary has happened.
We have to get both sides to the middle.