More often than not, we consider a new security control, whether it be a firewall upgrade, host intrusion software deployment, or Identity Management solution and fail to ask ourselves:
Why are we doing this?
What's the goal of putting this security control in place?
Are there any risks associated?
What is the expected outcome?
Is the way we're deploying this technology, the "best" that we can do? (Without impacting business efficiency of course.)
I know it's simple in nature, but seriously, asking those questions is where the real securitah lies.