Adding centralized controls for corporate browser settings and locking down security settings to increase security is a great idea, as opposed to letting users do whatever they please. It shows attention and dilligence.

However, doing so while still permitting lax passwords and not alerting on security failures demonstrates a distinct lack of focus. Fine detail settings in the browser won’t help your organization if a bad guy can roll up on your Internet presences and run THCHydra with impunity.

Your internal controls don’t amount to much protection if your external controls are stuck in the 1980’s. Failure to fix the obvious is an invitation to being hacked.

Don’t forget about the simple stuff, and have your systems tested by people that will do more than just point a vulnerability scanner at the address space. Use some sense and focus on what’s going to be most effective, not what was in the news last week.