Two things you never want to hear (especially on the same day):



* From an IT director to the CISO: "There is no need to involve your group in the project yet-- we have not even decided on the product!"



* (overheard) Admin: "Do you think we should tell the security officer about this?" Manager: "no, he did not get in."



Now, I could do a full writeup about how important it is to include information security officers from before the planning stage of every project, and how even the slightest sign of unusual behavior should be brought to the attention of a security person, but I will not do that. These two quotes should speak for themselves.