Are you feeling insecure lately? No, not about yourself, but about your organization's competitive position in the marketplace? What about its ability to meet client and business partner obligations; or, its ability to stay out of the court system and on the good side of industry and government regulators? Well, if your organization is like most, it has problems - big problems - when it comes to protecting one of its most valuable assets: electronic information. Sensitive information on your computer systems is second in value just behind your organization's employee capital. So what are you to do? Fall in line and move along with the herd?

There are a lot of security tips out there that you can follow: firewall this, encrypt that, strong passwords for all, and security policies that leave no byte unturned. These are all security "best practices" we hear about and have forced on us by auditors, lawyers, regulators, and (perhaps worst of all) vendors generating hype via their fear, uncertainty and doubt-based marketing tactics. An alarming number of organizations buy into this free advice and blindly operate their businesses believing that if they throw enough money into technology and document some key security policies, they are safe. Everyone else is doing it, after all - yeah, right! This one-size-fits-all mentality is bad for business.

Having said this, there are a few key things you will likely need to have in place before you can effect change and reasonably secure your information systems:

1. Key leaders and decision makers who understand the importance of security, privacy and IT governance - not just a best practice or regulatory requirement that the company needs to dodge, adhere to minimally or ignore altogether. In other words, people with the bravado to see security and privacy as legitimate business issues who can make things happen.

2. An IT governance/oversight committee made up of several people from various areas of the organization that calls the shots - i.e. creates and enforces security policies - not just the IT administrator doing his/her own thing.

3. An information classification system that clearly outlines which electronic assets are present on your network, which information needs what type of protection, how you are actually protecting it, and how it needs to be retained for legal and regulatory purposes.

4. Security standards that every administrator, manager, developer and team works by to ensure that all critical systems are consistently secured throughout the organization.