• What is enterprise data security?
• Should I focus on the big virus threats or on the broader task of securing my data?
• There's no way to overspend on security, right?
• Can I safely cut my security budget?
• How do I get the CEO to buy into on my strategy?
• I'm looking long-term. My systems are platform-based. My security stance mirrors the threats. Do I still need to focus down to the individual packet level?
• Should I derail a project nearing completion to insert security measures?

There's no way to overspend on security, right?

Hold on. Time for an analogy: Every major city in the world has one residential address that's more of a bunker, ready for a siege fit for a Peter Jackson movie. Not only are the chances of such an encounter astronomical, some of these armaments don't even work (thankfully).

Yes, your most precious commodity is your employees' and customers' data, but you can spend too much on security. And if you are listening close enough, you might even know when you're overdoing it.

"Your sales force will let you know," says Gartner security analyst John Pescatore. Put too many hoops between them and the customer database, and you'll slow their ability to sell. That makes for unhappy employees—and fewer sales.

Pescatore says you have to challenge new security procedures and tools for effectiveness as well as overzealousness.

"Ask the question," Pescatore says. "Why are we making the sales staff use three passwords and a token to get to their information?" It's probably over the line and probably wasting time and resources.

You're continuously balancing the need to safeguard data with efficient information access. It means exhaustively researching products that are best suited for your particular operations. It means training everyone about their responsibilities. It means following up with network monitoring and refresher classes.

Pescatore says the typical enterprise is spending 6 percent to 7 percent of the IT budget on security, not counting business continuity or disaster recovery expenses. That's equal to about .4 percent of revenue. (While it may not be the best comparison, he says, typical retailers spend 1.5 percent of revenue to keep shrinkage, or losses due to theft, stable at that 1.5 percent mark.)

Can I safely cut my security budget?

Surprisingly, yes, it's possible. Two ways come to mind: Always know your systems, and spend wisely.

First, find your vulnerabilities before your enemy does. Think of your organization as an onion. Every layer, all the way down to the core—which might be individuals and their contact with the outside world—can have vulnerabilities. Each vulnerability has to be identified and resolved.

Gartner security analyst John Pescatore recalls one organization that reduced its security budget and even support spending by consolidating its many Microsoft Windows images, or versions of Windows, to just two or three.

This strategy is almost always going to be less expensive and more effective than buying an application that merely tries to shield or ameliorate vulnerabilities.

Assuming you've analyzed your systems (and that you do it regularly), look at your buying strategy. Like those companies with numerous Windows images, many are freckled with point products. They are not coordinated, some are outdated and others are outright redundant.

Instead, think in terms of platforms for discrete functions. Replace a hodgepodge of products with, for example, an e-mail security platform, a Web security platform, and a wireless security platform.

How do I get the CEO to buy into on my strategy?

First, says Jonathan Penn, a security analyst and vice president with Forrester Research, realize that "you can't convince people about security priorities." A lot of times, it's an emotionally charged issue. "You can only educate them," he says. Tell them about precautions that your competitor or industry is taking, for example.

And don't assume that savings will win you quick approval. It's counterintuitive to think spending less could deter threats. Just be ready to show in detail how your strategy—whatever the cost—covers you for known threats and creates a foundation on which you can mount an immediate defense against as-yet unknown vulnerabilities.

For more on Enterprise Security, see CIO.com's Security Drilldown.