So you can’t accuse the companies that suffered breaches of not spending enough. But perhaps they didn’t spend well. The hardest question for IT security officers to answer clearly isn’t, "How much should we spend?" but rather, "Where and how should we spend?"

The answer: Probably not on technology.

Security expert Bruce Schneier of Counterpane Internet Security, and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World, believes that technology has been hamstrung in its ability to protect companies because it hasn’t been matched by security awareness.

"Most of the time security problems are inherently people problems, and technologies don’t help much," says Schneier. "Photo IDs are a great example. Technologists want to add this and that technology to make IDs harder to forge, but I worry about people bribing issuing officials and getting real IDs in fake names. [At least two of the 9/11 terrorists did that.] Technology that makes the IDs harder to forge doesn’t solve that problem."

Then there’s the problem of companies not using the technology they have to its full potential.

Seven out of 10 survey respondents used intrusion detection systems, eight of 10 used firewalls, and nine of 10 used antivirus software. But only 50 percent of events were detected through those technologies or through security service providers managing those technologies for a company. The other half were detected the harder way—by customers, colleagues or the news media alerting the company to a breach, or worse yet, to damages the event caused.

Companies have deployed so much technology, and have generated so much data in the form of log files, that they often have given up trying to interpret the data. The haystack’s grown too big to look for needles in it, says Andrew Toner, partner in PricewaterhouseCoopers’ security practice. "When they give up," he says, "that’s when breaches happen."

Giving up is one way to explain the tendency of companies that were hardest hit by hacks to cut their security budgets. Maybe these companies were hard hit by something else—the economy—and are cutting budgets across the board.

But it’s just as likely that they’ve decided that the money they did spend was not spent well. Why? Information security has not, for the most part, adopted risk management as a philosophy. It’s still treated binarily: Either we’re safe or we’re not. Either the money we spent worked or it didn’t.

"People think in terms of threats, not in terms of risk," says T. Sean McCreary, a risk management specialist at The Motorists Insurance Group who previously served as a security manager and safety manager at two prisons. "Risk management allows you to assemble threats into some order or importance so the available funds can be used most effectively to prevent and prepare for the identified risks."