In fact, the more security layers are in place, the more likely it is that some will interfere with business operations, said Nathan Wenzler, executive director of security at Washington DC-based Thycotic Software Ltd.
Security products need to be configured then, once they're in place, they might need ongoing tuning, patching, or other kinds of maintenance. Administrators need to understand how the initial configuration and the subsequent changes might affect business processes, as well as other security systems, he said.
But most organizations only have so much expertise and time to go around.
"There's not enough time to implement them well, and keep managing them well," he said. "That becomes a challenge."
Operations teams aren't the only ones who might try to fight back against too-restrictive security layers. Individual users can, as well, said Leah Neundorf, Senior Research Analyst at Cleveland-based security consulting firm SecureState LLC.
Say, for example, a company decides to use different credentials for different systems as part of its layered defense strategy.
Users are going to try to defeat that by using the same set of credentials for all systems, she said.
At a minimum, a company is going to want a set of credentials to access internal systems and another set of credentials to access email.
Users who use their email address as their account name for internal systems -- and the same password for both -- are creating a major security problem, since its so easy for outsiders to find out employees' email addresses.
She suggests that enterprises require different formats for user names and passwords to different systems.
"And make sure people understand the reasons you're putting these things in place," she said.
She also warned against credentials that give users access to, say, all the systems within a certain layer.
"Every admin doesn't have to have god rights," she said.
With each new security layer come integration challenges, where one product might interfere with the functioning of another, or create security policy conflicts.
"Sometimes interactions can have operational consequences," said Fred Kost, VP at Mountain View, Calif.-based security vendor HyTrust Inc. "It's critical for CSOs to test and validate layered security under different attack and load conditions. Clever attackers might use this to render some of an organization's layered security ineffective."
The tendency to buy best-of-breed systems from different vendors can also cause communication problems, forcing security analysts to learn to work with multiple systems instead of having one single view of a company's security situation.
The effort required might outweigh the benefits, said Usman Choudhary, chief product officer at Clearwater, Fla.-based security vendor ThreatTrack Security.
Sign up for CIO Asia eNewsletters.