Information Age: News, analysis & insight for IT & business leaders

Eighteen months ago, at Information Age's inaugural IT security conference, the opening speakers spent the first sessions reviewing the year in high-tech crime. On their list of pain points were hacking, viruses, Internet fraud and denial of service attacks.

Inevitably, the list of threats that emerged from Enterprise Security 2005 was considerably longer - and the associated cost of dealing with those much higher.

But what was also evident is that the debate about security is maturing. For one, organisations are viewing security in terms of the risk posed to the business. That means the debate is now about governance, business continuity, brand protection and risk management. It is about balancing optimal security with optimal business practices.

Recently, I had the opportunity to visit Experian's new purpose-built European data centre outside Nottingham. The credit reference agency's £31 million data processing centre is protected by fences equipped with motion detectors; a hidden swamp where anyone who successfully scales the fences takes their chances among the reeds; a Nato standard crash barrier at the main entrance; a bomb proof reception area; and pressure sensors on all the doors. And that is just the physical protection. Within the walls they have a vast array of IT protection - everything from twin firewall layers to dynamic password control.

That level of protection might be suitable for a data centre holding financial data on the credit worthiness of millions of individuals; for others, the amount of protection needs to be determined by policy. IT security is no longer just about applying technology, but about developing policies that govern how different parts of the organisation are secured. It is about how you plot a course for an open and agile enterprise in the face of threats that - if left unmanaged - can induce corporate sclerosis.