You can't police and enforce a security policy that doesn't exist, and more often than not companies are missing this key security resource.

That was one of the core messages delivered by security expert David Piscitello, president of consultancy Core Competence, on the recently completed Network World Technology Tour on security. In city after city, less than a third of the attendees said their companies have bona fide security policies.

More specifically, Piscitello says companies usually lack a "clear, documented understanding of assets and their value, whether the assets are vulnerable and how, and what risks the vulnerabilities pose."

The tendency is to throw technology at perceived problems, he says. But if you don't have a cohesive view of the problems, you can't adequately allocate your security dollars.

And the problems only compound from there. Poorly documented security policies makes it hard to verify the effect of changes and probably means risk analysis takes a back seat.

What's more, Piscitello says, without a policy "you can't establish appropriate use vs. abuse. Stakeholders do what they think is OK and cannot be held accountable. "

Weak authentication is another common security problem Piscitello encounters. Passwords are often the only line of defense, and users are asked to remember too many of them, typically from five to 15. The result is customers write them down, often on sticky notes that are stuck to monitors.

Two-factor authentication is better - where employees need passwords and a PIN generated by a token to log on - but users have been known to write their password on the back of tokens and lose them.

The point is that this is not a technology problem, Piscitello says. "The root cause is social and cultural. You need to modify employee behavior, get them to buy into whatever solution you use." He recommends adding security performance reviews, even paying employees if security goals are met.

Once you have adequate policies in place, the next trick is to master security auditing, logging and analysis. Piscitello says this is still something of a black art. Companies don't generally aggregate the findings and cross correlate them, making analysis harder. And if you don't adequately audit, "you can't confirm your implementation conforms to your policy or distinguish normal behavior from abuse," he says.