I believe that you can do too much of anything.  You can have too much insurance.  You can have too many advisors.  You can have too many protections in your business. If someone audited your security, would you have too many controls or not enough?  Maybe you have bought a lot of products, but are they being used correctly?  What are the policies in place to protect the business?  How many security classes have you paid your IT department to go to this year or this quarter?