I have written in the past that the word "security" is harmful:
Security is an overloaded and misused term and should be sunset. In development projects, words have value when they enable people to discuss design concepts and tradeoffs. Ask five different people to define "security" and you are likely to get six different responses.
Depending on what type of business type your enterprise is, there may be widely varying security concerns. John Hagel writes that businesses are moving towards three distinct types:
Infrastructure management businesses (IMB) - high volume, routine processing businesses - think of contract manufacturers, logistics providers and call center operators as relatively pure play examples of these businesses
Customer relationship businesses (CRB) – businesses that get to know individual customers extremely well and, based on that understanding, help to access relevant resources for these customers – relatively pure play examples of these businesses include large advisory firms that help large enterprise customers decide what form of IT outsourcing to pursue and help these large enterprises to evaluate and negotiate with the right mix of outsourcing service providers.
Product innovation and commercialization businesses (PIC) – businesses that focus on developing innovative new products and services, getting them into market quickly and accelerating adoption of the products - think of semiconductor firms operating without their own fab facilities as relatively pure play examples of these businesses.
Given Hagel's business definitions and our familiar building blocks for security - confidentiality, integrity, and availability - what would we see as some general priorities for security by business type? Below is a rough ranking of what are some general concerns by business type.
I think this is an accurate reflection of many infrastructure and customer relationship companies, Innovation is a little slippier - Google has one set of concerns while a biotech has totally different. In any case they are not the same. Furthermore, the union of "perfect" confidentiality, integrity and availability is practically impossible, as your mechanic would say "choose any two". So if you can't get all three, then the next thing to look at is priorities. This may cause some brutal choices, but it does focus your efforts to identify pragmatic ways to move forward on high priority "security" concerns, more than just a general "security" strategy.