All too often people I meet seem to obsess about the latest and (supposedly) greatest security product/feature/gizzmo. They rarely seem to consider the context in which the uber product is supposed to be working.

I like flashing lights and complicated sounding technologies as much as the next infrastructure geek but I've learned (over many years) that simplicity is near to security. Use a little security stuff as possible to mitigate the realistic threats you face and manage the risk of "bad things happening" to a sensible level.

If someone REALLY wants your stuff then they'll come and take it. Effective Information Security is about being realistic. There's no point going crazy, implementing all kinds of complex controls that you don't understand and that don't work with one another.

Defence in depth is a great principle. Sadly it's been taken by many security sales people throughout the industry as a way to foster yet more products and junk on the market.

There are many wonderful security products and technologies out there and using SOME in combination with one another can be a good thing. Just don't go mad.

Keep it simple. Bear in mind that we all have different appetites for risk. Some people go bungee jumping. Others don't. There's no such thing as a standard solution for everyone. You need to think about the value of your information assets to criminals. You need to be able to get the most from your information systems rather than making them so complicated that you just can't use them effectively.