Very well put, companies should focus on designing secure systems not systems with security. There should be provision for making security decisions based upon business value that is unique to the organisation in the same way that web 2.0 ajax technology delivers a web experience that is unique to the user.

The threats we face are no less than before but as sais malware these days is much more 'run silent run deep' than ever before - there will be no more major worms to make the press but the bad guys will make increasinngly more money, this is a paradox that compounds the problem of getting funding for security ... less perceived threat but more actual threat....so you build secure systems with system funding rather than go for unique budget for security. A good example of this is the drive for PCI compliance - the card payment guys are forcing traders to build secure systems with no sensitive information in the clear so it just gets done that way.

There is a company who is at the forefront of helping organisations understand how to deal with security www.securitymob.com (disclaimer i'm not an employee)

Good article, high;ighted the required move away from tactical security implementations towards a more strategic view.

For a while now I have been talking to business about securing the information in a structure was and as part of the project the will create/use that information. This is a fundimental shift from the traditional security model of securing the network. This is still required, however business need to understand that the target of attack is the data/information, not the network.

Security 3.0 should be a natural step forward for most organisations as increased controls from SOX, PCI etc impact on how projects are delivered.