I was reading a comment from Mike Rothman about the need for SSL and then I found this expression, "path of least resistance". I really liked it on the context of security. There are lots of easy things to do to remove paths of least resistance. Depending on the level of exposure of your organization, this is all you may need to do to achieve a reasonable level of security. I remember several security measures that when are discussed by more technical guys seem to be not so relevant, but we can't ignore how many less savvy attackers are there trying to exploit our systems. A control that can stop 90% of them is better than nothing at all. I really prefer to deal with 10% of a threat than 100% of it. Just don't ignore that 10%. You can choose consciously to live with it, but don't ignore it.