You found it, you own it
This management principle makes the finder of an issue the owner and makes her or him responsible for the fixing.
As Cyber Security’s base action is to find weaknesses and 90%+ of these are to be fixed by standard IT Management processes, this principle works as a tar-pit to waste valuable and expensive workforce of Cyber Security experts for others tasks.
Bureaucracy
Tight your Security staff into processes that are as tight and inflexible as possible. Especially reporting-lines are here valuable contributor that the Security personnel is not allowed to talk directly to affected organisational units and have to follow the reporting lines to report.
See other functions in the company as controller and not as supporter and burden the Security staff with reporting and planning tasks as much as possible.
Budgetting
Plan the constant yearly budget in money and personnel as tight as possible to have the Security Manager in need of justification any need at least yearly.
Give money spontaneously with vague goals like „make faster“ and blame the Manager for not being able to spend it at year’s end. This accusation might also be used for restricting the next year’s budget by „You were not able to spend the money last year, now your are requesting more?“
Project Management
Burden the Security Team with as much planning and reporting tasks as possible, especially tasks that span a lot of teams within the company.
Responsibility
Make the Security team responsible for the results of others. The implementation of measures is of course left with these „other“ and prioritised by them.
Emphasise a culture where Security is seen as disruption of important business functions by „busybodies“
Add internal confusion
Found additional units with „Security“ in the name and vague purpose to have the people’s time and energy consumed by turf wars.