Corporate information security is a mess of contradictions. Infoconomy polls have consistently found that security rates as a top priority. But organisations with security policies spend roughly the same amount of time fire-fighting security problems as those without. If IT managers are ever to stop worrying about security enough to actually do something about it, they need to take a step back.