From Martin Wolf comes a story with real Infosec parallels (emphasis added):
We must not get diverted by the financial sector's opposition or by populist rage. We must focus, instead, on the core issue. Trying to make financial systems safer has made them more perilous. Today, as a result, neither market discipline nor regulation is effective. There is a danger, therefore, that this rescue will lead to still greater risk-taking and an even worse crisis at some point in the not too distant future."Trying to make the system safer has made them more perilous", information security routinely gripes that systems are "too complex" and that is why they are insecure - too much code, too distributed and so on. Fair points. But what happens when infosec has to offer a solution of their own? In almost every case, the security protocols and mechanisms that are put in place to mitigate some risk become the most complex part of the system. Does anyone see a problem here?
Either we impose a credible threat of bankruptcy, or institutions we have to support are made safer, or, better, we have both of these. Open-ended insurance of weakly regulated institutions that take complex gambles is intolerable. We dare not return to business as usual. It is as simple - and brutal - as that.
"Open-ended insurance of weakly regulated institutions that take complex gambles is intolerable", the result of this echoes Brian Snow's point that the most dangerous security posture is to think you are secure and act accordingly when in fact you are not secure.