There will never be an outright winner in the "arms race" between those who wish to misuse data for their own ends and organisations seeking to protect commercially sensitive information or customers' privacy.
As technology changes, threats come from different directions. The challenge is to spot them as soon as possible and take effective action.
For many years the focus was firmly on the security of the network, with the solutions being primarily technological, such as firewalls, anti-virus software and intrusion detection systems.
Now, the importance of security policies within the organisation is increasingly being addressed. But unless these are enforced, they remain an academic exercise.
It is not about doubting the honesty of staff, it is merely recognising that staff who do not realise the dangers or know how to minimise them can create internal insecurity every bit as threatening as a dishonest outsider.
"What characterises a good security function?" asks security expert David Lacey in his Computer Weekly blog. "If I were forced to select one thing, I would say it is the ability to close the loop, to check that policies, standards and controls are being implemented. Failure to do so is the most common reason for ineffective security programmes."
If only information security were as easy as putting locks on your windows and doors, installing a burglar alarm and feeling satisfied that you have done what you can to keep the bad guys out. That one-off fix is a luxury unavailable to organisations seeking to keep essential business information protected.
Constant vigilance is the price of staying in business in the information age, and that means effective security at every level of the organisation.
David Lacey’s security blog
The latest ideas, best practices, and business issues associated with managing security