IT security, like Mom and apple pie, is something everyone's in favor of.  That's why it's interesting to see what an authoritative publication like CIO magazine finds out when it does a survey of the global state of the art (in this case, involving over 8,000 respondents in 62 countries across six continents).  The survey also yielded six "secrets" (yes, journalists will be journalists) of effective IT security:

• spend more; you do get what you pay for;
• separate information security from IT, and in fact merge information security with physical security;
• conduct penetration tests; better you should discover your vulnerabilities than a Sasser worm code jockey;
• perform a comprehensive risk assessment; this is jargon for the common-sensical approach of fixing the big, dangerous vulnerabilities first and saving the trivial, harmless ones for last;
• define your overall security architecture; this is jargon for making sure that all your "local" solutions can work and play well with others; and lastly
• establish a regular (they suggest quarterly) review.

Counterintuitively, the study also found that companies with a higher degree of confidence in their security measures were in fact more secure:  Of the "best practices" group, nearly 80% of CEO's were "very confident" about security, while in the rest of world only 30% were.  Why do I label this counterintuitive?  Because in many contexts the best defense stems from a healthy paranoia.

But the numbers speak for themselves.  Even though many of the "best practices" firms were targeted more often in 2004 than in 2003, they suffered less down-time and lower financial losses.  So maybe they do have reason to be confident.