Effective security is all about risk. Measure it. Decide which risks you are uncomfortable with and take steps to mitigate them. It's also about People AND Processes - technological controls alone will not give you Effective Security.
Scott Culp's 10 Immutable Laws of Security gives a really good summary of the guiding principles of security.