Security in any business isn't one thing, it is a continually evolving collection of services, products and working practices.  Most notably, we invest heavily in a number of technologies to achieve the security outcomes which are essential in modern day computing.  Finding the appropriate and proportional level of risk for your organisation is something that should be addressed at Board level and not a introduced as a reaction to a security-related event.