Since April 2010, I've been working on the network security management of Kyoto University. There are many things to consider. I've already published a report in PDF about the status and issues.
The fundamental principle which always haunts me is that adding security to a not-so-secure system is far more difficult than making the security component built-in into the system. In a large organization, you cannot change the policies and configuration of the running systems overnight; you need to negotiate with a lot of stakeholders to reach a consensus or an agreement. Consolidation takes a lot of time, especially for a well-established system such as the email servers.
Another difficult issue to handle is how not to restrict users from the legitimate use of the campus systems. University is an organization of research and education. While leaving a system vulnerable for the known attack vectors is not an option anymore, allowing failures for learning from the try-and-error process should not be prohibited. Without a firm security policy, you cannot really decide what is right or wrong.
Catching up with new technologies is also a tough requirement to meet for a large network system. The global IPv4 address space will be used up in next year 2011, so introducing IPv6 is a must, though not urgent; and the organizational DNS subsystems should be DNSSEC-ready, for both the cache resolvers and authoritative servers. And I have to be able to explain those changes will surely benefit the users and are worth paying for.
I'm sure I'm going to face a lot of existing and new problems on next year 2011. And I'm hoping I will be able to solve at least some of them.