Whenever we have a system whose function is to provide better risk management or security, that system itself will have a control element. These systems can be attacked and service they provide disabled.
Take, for example, a network intrusion detection system; is the control console system protected? Is the back end database on it’s own server or is it part of a shared environment? Are the updated signatures delivered over a private physical network or at least a separate VLAN? Are the administrators themselves audited periodically?
What I have seen many times is that the worst security in a company is on the security group’s control systems. Not because the security group is lazy or incompetent but because they simply do not have the resources to adequately safeguard their own systems. They are assigned additional duties without additional personnel or it was left out of the budget. It can happen to the best. There have been numerous luminaries in the information security field who have been hacked. Sometimes earning a living takes all your time and there is nothing left for securing your own systems.
If you cannot afford to add the correct number of internal personnel for your Identity Management Solution, Intrusion Detection System, Content Filtering Software etc. you should contract someone who can and then audit them, regularly.