Is your Security Guy Beanie (tm) on too tight?

I work in a reasonably large dedicated IT organization. Often, the staffers that I work with understand the risks and the controls that they can use on their systems as well as, or better than I do. What they come to me for is a level of professional paranoia. They acknowledge the difference between the system administrator's "it must work" mantra, and my "it must be secure and it must work".

This results in the occasional moment where we both acknowledge that security concerns are over the top - but that they need to be expressed. We need due diligence, and we need a full awareness of the risks. Even so, we're all aware that some of the security concerns can sound silly.

I simply tell them that my Security Guy Beanie is on a little too tight, but that I have to wear it like that to keep my paycheck.

We all chuckle, we figure out a reasonable set of controls, and the admins know that there is somebody who is paid to worry about the obscure things.