This is me on my soapbox. Preaching to the choir.
1. Buy more monitoring.
It's necessary to spend security dollars on prevention and protection technologies. But it's very easy (and thus very common) to overspend on these technologies as well. Budget and spend at a prevention-to-monitoring ratio of 1:1. Security monitoring is the cornerstone of security response, and in many ways response is more important than defense.
Think of it this way. As CISO, you are the mayor of Securityville, which is on the border of North Korea, Iran, Chechnya, Darfur, and Canada. When you spend on prevention products, you are buying fences and sprinklers to keep bad guys out and keep fires from spreading. When you don't buy monitoring tools, you lack cameras and smoke alarms to tell you that the fence has a hole in it and everything is on fire. To say nothing of the police and firefighters. Which brings me to...
2. Hire more firefighters.
And by firefighters I mean security analysts that can monitor for and respond to security incidents. In 2007, if you haven't experienced a security breach yet, you probably don't believe me when I tell you it's an inevitability. But when you reread this 2 months from now, you'll know I'm right. Or you'll smugly chuckle at how this post is all FUD while Chinese hackers rifle through your e-mail unhindered. Either way, if your security folks are all busy managing firewalls and doing vulnerability scans and nobody's monitoring your network, then you can't argue my point because you don't even know that you've been pwned.
Also, hire good people. Talented people. Security monitoring is not a help desk job, so you can't pay help desk pay for it. I'm proud of our team's incident turnaround time and ecstatic about the fact that in most cases we detect and respond to incidents before the impacted employees are aware there's a problem. But this is the natural order of things, because...
3. Security is not everybody's job.
So stop saying it is. Cindy's job is processing expense reports. Tom's job is developing new client accounts. Jim's job is, well, I don't know what Jim does, but he runs Fantasy Football each year, so he can stay. Oh, right, back to you and how security is your job.
If you want employees to act securely, then you must do the (very unpopular, unfriendly, unfun) job of writing and by God enforcing data security policies. It's really cool if you can write them, design the oversight and monitoring controls, and then hand enforcement over to the compliance or audit departments. Then you'll still get invited to happy hour every once in awhile. But not by Jim. He's not talking to you since he was written up for distributing NCAA brackets printed on the blank side of old payroll reports.