Zero in on the information security risks facing your company, or you'll likely find yourself overwhelmed. That's the overall message of our 2008 InformationWeek Strategic Security Study, which polled nearly 1,100 IT and business professionals about plans and priorities for securing their companies' assets.

Getting the money for security isn't the biggest problem: Fully 95% will see their budgets either hold steady or increase this year. It's that the money isn't making data safer. Sixty-six percent of respondents say their vulnerability to breaches and malicious code attacks is either the same as last year or worse. Since when is "no worse than before" an acceptable return on investment?

The solution lies in securing to specific threats. The problem is that IT lags well behind other disciplines in adopting systematic risk management processes. But those technology professionals who have made the leap into classifying IT assets, assigning values, evaluating threats, then determining where and how to mitigate risk find the process to be extremely valuable.

In short, risk management principles bring rigor to information security.

Here's one illustration from our security study of how risk management can focus companies on the most important threats: Insecure coding practices are a pox on all our houses. Roughly half of respondents whose organizations have risk management plans in place specify security features at the time of application design. Of those without risk management plans, just 22% focus on code security.

We need the jolt that this security study provides. Twenty-one percent of companies never conduct security risk assessments, and of those that do, just one in five imposes the rigor of using a specialized external auditor. This despite 63% contending with government or industry regulations related to data security, many of which don't give adequate guidance on how to comply. Best practices are the best defense in such gray areas.

Companies also are behind in implementing encryption to protect customer and employee data. We had hoped that the ongoing parade of high-profile data losses would set most companies on the road to comprehensive privacy protection. So we were discouraged that the only actions to safeguard customer data that are used by more than half of companies are ... informing employees of standards and putting a privacy policy on the Web site. Fine steps, but they don't exclude the need for encryption (used by 34%) or privacy policy audits (25%). Amazingly, 11% say they have no privacy safeguards for customer data. Zip. Zero.

We could go on, and we will. But we need to stop for a second and ask, what gives?