Key Mistake 2: Uncommon Standards
Enterprise environments are characterized by increasingly complex networks of operating systems, computing platforms, and a mixture of devices. Some of these devices are owned and controlled by the enterprise; others are not—think "Bring Your Own Device" (BYOD) solutions. In addition, networks often span boundaries at multiple levels: intra-organizational (departments, divisions, and units), inter-organizational (external contractors working onsite, partners, suppliers, and customers), and geographic (everything from multinational corporations to non-local employee travel with corporate or personal devices). A mosaic of policies and procedures necessarily grows around securing this complex array, and the stakeholders who develop such policies and procedures have their own functional requirements and security assumptions for the portion of the mosaic (the devices or networks) within their purview.
The trouble with this fragmented approach is that, while the requirements and assumptions may hold true for specific devices, vulnerabilities often exist in the interfaces between devices, between systems, and in the flow of data across them. These "mashups" can lead to security failures when cross-boundary device and network assumptions prove to be false. The security issues and basic assumptions driving functional and security decisions across the different system components might be unknown, very different, or just too complicated for any one individual (or even one set of individuals) to understand comprehensively in terms of security and functionality.
Starting point for addressing this issue
Developing standards that address cross-boundary "mashups" will facilitate enterprise security in these increasingly complex environments. Consider adding both basic and confluence training to the enterprise's "security awareness" training programs. Basic training focuses on fundamental concepts in security and software development—concepts that are likely already included in your training program. Confluence training builds on these concepts, places them in the enterprise context, and facilitates cross-enterprise collaboration.