I agree with you and think the problem will worsen, as security is increasingly politicized, politicians who know nothing about the field will begin to use their security ideas as political flare. I believe we are going to enter a new era of computer security hilarity because of this.

A realization must be made: The fact that as security increases, functionality decreases. A piece of dirt has no security flaws.

Yes, but at least things like food can grow in a big collection of Dirt.

"One Thousand Steps Begins With One, but a Jack of All Trades is a Master of None"

Huh? Did you paste together two random quotes?

While I agree with your general argument, I have a lot of concerns for your second example. Which by the way, was exactly what I was telling people three years ago. Now with experience, I can give you some advice:

• Yes, if you scan shared folders on Unix boxes you're not preventing any infection spreading from one Unix or NAS box to the next, because there are close to none for them. However, what about files stored there infected with Windows malware that are being accessed by Windows boxes? AV scan of NAS/Unix shares can prevent those servers acting as infection vectors.

• Oh, yes, you're redundantly doing the AV on both the servers and the client workstations, so why you cannot remove one of them? This is a good question, but again you have not give it enough thought.

Look, if you can absolutely-positively-without-any-doubt be sure that no one is ever going to plug into your network a machine that does not have AV up to date (or is not sensible to such attacks, such as a Unix box) then you can remove the AV engine on the file server and leave it to the workstation to do the virus scan.

Somehow I think that the technical measures to prevent someone to plug into your network a non sanctioned equipment are going to be way more costly and difficult to implement. And no, just banning that as company policy is not going to work, people regularly bring equipment from home and plug it into the Ethernet port just to see what happens.

In fact, if I had to remove one of the two AV engines, it would be the one on the workstations. Workstations can be easily replaced and if they go down affect only a single person. Yes, there can be critical data stored on an individual desktop or laptop, but logic says that it should be a minor impact compared to losing a whole file server.

So keep hammering your server with weekly, no, make it daily, AV scans. File servers are there to be hammered, after all they are designed for... serving files. And consider AV scanning your file server just another of those security layers you correctly mention as the foundation of good security.

However, using such a bad example does not invalidate your argument. Yes, there are more than a fair share of completely useless security policies out there, and people prefer to keep them rather than taking the risk of thinking by themselves. I agree fully with that. Just as your bad example shows, if you don't think enough about them you may find yourself in an awkward position if something bad happens.

Or better yet, use a sensible security professional. Which I am not (security professional, I mean)

Major reason we often do anything someone thinks up is because no one in security wants to put their neck on the line with senior management by saying something is a waste of time and effort on the remote chance that something actually happens. They know their butt is on the line.

A lot of what you complain about is "security theater." That is, some executive mandates that something be done entirely so they can go to upper management and say that something has been done.

Effectiveness is not even part of the equation.