I think anyone in the security profession has to be a little paranoid to be any good at their job. You have to be a little paranoid to be able to see risk everywhere and assess what you can solve, what you can’t and the most important piece; the difference between the two.
As a parent you are constantly reminded by your children that no matter how hard you try, they will find a way to hurt themselves. The best you can do is minimize the risk and make sure you have an escalation plan. The same thing is true in security. Limit your risk and be aware of the steps to take when something does happen. One of the most difficult things for me to do is tell the difference between what I can do and what I should do (ie no kennels for the kids to keep them safe).
Now as far as security goes it is the same thing, find what you can do to best secure your data but also make sure that the people who need access to that data still can be productive. I find that too often I get into the mind set of “locking it down” instead of the business mindset of how to make it as secure as possible without affecting productivity.
Just because you can make something more secure doesn’t mean you should. You need to take a step back and think about what the extra security will affect and weigh the consequences. Sometimes being a little paranoid is okay, but not turning on your computer so that you never get a virus may be going to far….or maybe it isn’t.
