If there is a single, simple explanation for security breaches at corporations and government agencies, it is this: optimism bias.

Those who are responsible for securing information systems don't believe their organizations will be the victim of a security breach. Some of them are right -- others are wrong.

Optimism bias encourages a state of denial. And those executives who don't recognize that fact are putting their organization's and customers' most vital information at risk.

We read almost every day about security breaches -- be they hackers deliberately compromising a system, a laptop full of critical information lost or stolen or personal data lost in transit.

In fact, my experience suggests that while managers do see the flurry of activity that surrounds the public disclosure of a security breach, far too many don't recognize that their organization could be next.

Maybe it's a natural reaction to the technology environment. Software is constantly improving, storage technology is cheap and managers believe there are better ways to spend IT budgets than to ramp up security.

The hard truth is that managers need to recognize that a reasonable level of security is dependent as much on the policies and management practices of their organizations as the technologies in use, which puts this vital issue squarely in the laps of managers, not just the IT folks.

One example of a positive management action is requiring that security be written into the software that drives business information systems .

If the applications are purchased, organizations can demand secure coding practices from vendors and hold them accountable to their claims. It's an effective first defense against hackers and thieves.

Unfortunately, application vendors are rewarded for software that does the job it is intended to do, not for software that does the job AND improves security.

The conundrum for managers is this: It's less costly for programmers to fix a flaw that some one else has identified than to design secure applications from the beginning.

The negative effect of this process is that it becomes the software user's job to implement security controls to protect themselves against attacks to the vulnerable software. It's what economists call an "externality," and it happens all the time.

Nevertheless, experience shows that a lack of thoughtful policy and management decisions play a key role in data losses caused by security intrusions and neglect.

Below are a handful of essential yet tangible initiatives that every organization can take to protect their data:

Recognize the need for senior management commitment to designing and implementing an appropriate security program. Solid leadership from top management is essential for an effective security effort.

Classify and label data according to its value. These categories may be as simple as: public, sensitive, confidential and secret. Segment all data that your organization collects and manages into one of these categories. Even if most of the data is public, this simple act will highlight where stronger security controls should be placed.

Establish policies of increasing levels of protection for each of these categories. The policies should dictate how data are stored, transferred and accessed. One size does not fit all, so the goal is to have the appropriate amount of protection for all of your organization's data.

Publish and advertise security policies throughout the organization. While awareness needs to start with senior management, it doesn't end until each staff member knows the rules and follows them.

In the end, security is a management issue. If senior management doesn't set the stage by creating and endorsing sound security policies, it's unlikely their staffs will take on that responsibility.