Often I find security professionals and management treating security as a project or series of projects. While there may be security related projects within an organization, I would argue security as whole should not be treated as such. Securing ones environment does not have defined start dates, end dates, or even budget. It needs to be part of every information system project and baked in from the beginning. Security should be part of your regular scheduled maintenance and support structure. By treating security as one would treat personal hygiene, security becomes part of the daily routine. Lather, rinse, and repeat.
I have eluded in previous posts that security products, while sometimes helpful, can also cause more overhead and issues. Specifically, products designed to provide a "band aid" to improperly designed or implementation information systems would be the equivalent of splashing some cologne on everyday and not taking a shower. Eventually, there will not be enough cologne in the world to hide the stench. So don't be the smelly kid! Lather, rinse, and repeat.