If you’re a security manager and want to reduce your stress levels, start by changing any of the following that exist in your organization.
1. Servers where ordinary users have log-in accounts.
2. Users who modify their own desktops, especially by installing their own software.
3. No mechanism for scanning the network for open ports.
4. A single server running everything.
5. No logging of firewalled traffic, no summaries or periodic traffic analysis, and no one looking at denied or rejected packets.
6. Lack of an intrusion detection system.
7. “Temporary” holes made in firewalls to accommodate specific requests.
8. Passwords kept on default settings with no password aging in force.
9. No subscription to a third-party bug-tracker, but employees are instead relying on the vendor to tell them of vulnerabilities found in their products.
10. An operations team that is not paranoid enough.
source: Sitaram Chamarty, Silverline Technologies