Effective security is all about risk. Measure it. Decide which risks you are uncomfortable with and take steps to mitigate them. It's also about People AND Processes - technological controls alone will not give you Effective Security.

Scott Culp's 10 Immutable Laws of Security gives a really good summary of the guiding principles of security.

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
Law #5: Weak passwords trump strong security Law #5: Weak passwords trump strong security
Law #6: A computer is only as secure as the administrator is trustworthy Law #6: A computer is only as secure as the administrator is trustworthy
Law #7: Encrypted data is only as secure as the decryption key Law #7: Encrypted data is only as secure as the decryption key
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
Law #9: Absolute anonymity isn't practical, in real life or on the Web Law #9: Absolute anonymity isn't practical, in real life or on the Web
Law #10: Technology is not a panacea Law #10: Technology is not a panacea