A recent article in CSO Magazine (Vol. 1, No: 2 2004, p. 21 ff.) noted the 6 Secrets of Highly Secure Organizations. These organizations:
1) spend more on security
2) separate information security from IT
3) conduct pen tests
4) create a risk assessment process
5) define an overall security architecture
6) establish quarterly review process with metrics
These are all fairly obvious things to do. The real question is why not many organizations are actually doing this. Mostly, I suspect, because this is seen as a cost and not as an investment. Until security is seen as a positive benefit to the organization rather than as an overhead obtaining budget and management support will continue to be difficult. The benefit equation will become easier to articulate as losses from security gaps focus management attention on security issues.