Adding to the challenge of securing enterprise data is the proliferation of mobile and wireless workers and small storage devices, such as thumb drives capable of storing gigabytes of data, says Eric Gorham, director of IT at the Regional Justice Information Service, a data processing center serving law enforcement agencies and other public-sector bodies in the St. Louis area.

As a result, security today needs to be not so much about technology but about "people, processes and of accountability throughout the organization," Resmer says.

User training, awareness and education are as important as technology when it comes to implementing an effective security strategy, he says. Also key is the need to view information security as a business-enabling function rather than as just a cost center that always "prevents people from doing things," says Resmer.

One example is eCollege's approach of allowing employees to use their own PCs and laptops when connecting to the company's network, Resmer says. This is despite the fact that eCollege - like the universities and other academic institutions it serves - operates in an environment that's long been considered especially vulnerable to hacker attacks. "We can try to prevent people from using their personal systems, but then you are only encouraging them to find ways around that," Resmer says. Instead, eCollege allows it, as long as users meet certain prescribed safeguards.

In the end, it's about "making security something that isn't just the CIO's problem," he says. "Make it the CTO's problem, the CFO's problem, the CEO's problem and the board's problem."