I speak of security in an organization, not company, because I have seen the manifestation of some of these also in associations or in public agencies.
- Not responding to people's good moves towards security. For instance, a user reporting a vulnerability must always be thanked, and notified once the vulnerability is fixed. Other example, an executive coming to ask general questions about security must always be answered as soon as possible.
- Allowing unmanaged exceptions to the policies for the high executives of the organization. They are the ones with the most valuable data. Primary target.
- Letting some high executives of the organization think security is a IT-department-only matter. Good security includes physical security, human resources security, legal security and of course, respect of the policies by all users whatever department they're in.
- Implementing security solutions incompletely, because of a lack of resources. If IT or security people lack time, human resources, hierarchy support, or budget to implement security solutions correctly, their work is very likely worth zero. For instance, a logging solution that has not been precisely customized to fit the organization's needs is useless. It's time and money lost, and it's no gain to security.
- Letting consultants do all the "hard work". Because the daily job is often heavy, many companies (less true for public agencies or associations) make call to consultants for every untypical job. This way, the employees don't increase their skills, and they don't get enough experience on using the new developed/bought tools. Which means they can't react effectively in case of an incident.