Simple security can be good enough if it is approached correctly, says Andrew Kellet, senior analyst at Ovum.
IT departments should aim for comprehensive security, but this should not mean complexity, he told Computer Weekly.
"Information security professionals can ensure that whatever plan they implement is good enough if it maps to the unique information security needs of their organisation," he said.
Moving to integrated products from a single supplier can help to ensure comprehensive protection while reducing complexity, he said.
"Most businesses have been forced to review their security systems in the downturn, so it would be surprising if most companies are not some way down this road already," said Kellet.
The guiding principle should always be finding the best and most appropriate way to protect company information based on its value to the organisation, he said.
"Organisations that have not done so already, should go back to basics to identify exactly what information assets they have and what level of protection is needed for each," he said.
Kellet is to lead a debate with information security professionals from several multi-national organisations on whether simple security can be good enough at Infosecurity Europe 2010 at Earls Court in London from 27 to 29 April.