UK plc is slow to get the message on infosecurity. But that is an opportunity for ITleaders to practise business leadership.
Because the security threat comes from all directions - within and without, malicious hackers and bumbling suppliers - the best defence is a flexible security policy based on risk management.
Horror stories alone won't sell the need for this to the business leaders - although a good crop of horror stories about competitor businesses never did any harm.
When presenting the case for security policy, you need to quantify the value of information, explain how that information could be lost, stolen or destroyed and then offer a sliding scale of remedies based on the probability of a breach.
Budget holders will complain that the unlimited and unfathomable nature of the security threat is a licence for the security suppliers and consultants to print money.
Just point out to them that a good security policy can quantify the threat and allow business to focus precise resources on it and that it costs a lot more to put breaches right than to prevent them.
In short, a good security policy based on the DTI standard BS7799 will minimise ongoing costs to the business. It will ensure a systematic approach to breaches that do occur, and will help to pre-qualify your business in its dealings with online partners and customers - where the issue of trust is still a key sticking point.