Keith Tokash opens up a topic close to my own heart, and one that I am working on right now. Go there and add comments so that my job is easier
I believe that there should be a Security Design team and a Security Audit team. All security operations should be performed by Network Operations.
The SecAudit team should consists on consulting type people who love writing policies, working with management and reviewing the work that has been delivered matches the plan and design. This includes reviewing Securty Operations (which is most likely delivered by Network Operations). They do not perform hands on work, or any day to day activities.
The SecDes team are used to reference and validate all Security changes against the reference designs derived from Policy. They are Network Engineers with a specialisation in Security and can assess impact on Network Integrity.
Leave comments if you want me to expound more on this topic.