Expert Commentary from Matthew Martin:
In my experience, a good security program follows a certain criteria, whether public or private. It is absolutely essential to have good asset management (you have to know what you’re protecting), and a good security program has to have excellent communication mechanisms (you have to be able to tell the business what the real threats are without being the boy who cried wolf). In general, we try to look at the world in a risk-based view. We want to make attacking us more costly than it’s worth for attackers. This is done with various levels of security controls: IDS and IPS systems, data loss prevention systems, vulnerability scanners / patching efforts, and configuration management, among others. It’s important to realize that you can’t stop everyone from getting in if they really want to; the crucial part is that you can identify and stop them quickly enough that they can’t do any harm, or can’t get to critical systems.