In April, I discussed the need to focus on the maturity of the security organization itself. I remain convinced that this is the most important priority for security and risk professionals. If we don\u2019t change, we\u2019ll always find ourselves reacting to the next IT shift or business innovation, never predicting or preparing for it ahead of time. It reminds me of the Greek myth of Sisyphus. Sisyphus was a crafty king who earned the wrath of the Gods. For punishment, the Gods forced him to roll a huge boulder up a steep hill, only to watch it roll back down just before he reached the top\u00a0\u2014 requiring him to begin again. Gods tend to be an unforgiving lot, so Sisyphus has to repeat this process for the rest of eternity.If my protestations don\u2019t convince you, perhaps some data will. The following are the top five Forrester reports read by security and risk professionals in Q2: Security Organization 2.0: Building A Robust Security Organization Twelve Recommendations For Your 2010 Information Security Strategy CISO Handbook: Presenting To The Board SOC 2.0: Virtualizing Security Operations Market Overview: Managed Security Services These reports focus on overall information security and risk strategy, the structure of the security organization itself, and the redesigning of traditional security operations. What you don\u2019t see on this list are reports about point security products. In fact, even if I expanded this to the top 10 reports, the first reference to technology doesn\u2019t occur until No. 10: HeatWave: Hot Client Security Technologies For Big Spenders And Bargain Hunters. Even this report has less to do with technology and more to do with peer comparison\u00a0\u2014 giving clients a view into what technologies their peers are purchasing.Here\u2019s another data point to consider: According to Forrester\u2019s Enterprise And SMB IT Security Survey, North America And Europe, Q3 2009, approximately 6% of enterprises cited \u201cunavailability of products\/services that meet our needs\u201d as a major security challenge. There is a plethora of available security products and services; in fact, too many of us buy point products without using them in a coordinated fashion or as part of a holistic information risk management strategy.That\u2019s why much of our Q3 and Q4 research themes as well as the theme of our upcoming Security Forum will continue to focus on \u201cBuilding The High-Performance Security Organization.\u201d We\u2019re using the image of a winning cycling team as a representation of the high-performance security organization. I chose this image because high-performance cycling and security teams surprisingly have some of the same requirements. Allow me to explain: Strategy, organization, and teamwork: Although only one cyclist wins the race, it requires a team of cyclists with specialized roles and skills to achieve victory. A good security organization needs an overarching strategy, well-defined responsibilities, and strong governance. Effective processes: The team uses a series of tactics to help the leader win. Team members take turns shielding him from the wind and pacing the team up the hills, etc. Likewise, the security organization needs solid processes in place for everything from identity and access management to secure application development to overall information risk management. Architecture and technology: The cycle plays a critical role. Over the years, improvements in suspension and braking make for a safer and more comfortable ride, and advances in material technology have made cycles much more lightweight. Likewise, security organizations must implement the architectures and technologies that balance security and compliance with flexibility and operational efficiency. I want to emphasize here that yes, technology is important, but too often that\u2019s all we focus on. You can have the latest, greatest\u00a0bike but it can\u2019t pedal itself across the finish line and a single cyclist could never win the Tour de France alone. I read today that a herd of sheep disrupted the Tour de France. No one was injured, but cyclists did have to brake suddenly and in some cases swerve around the sheep. It\u2019s likely the sheep were just befuddled and lost, but there\u2019s a part of me that would like to think it was a coordinated attack. So sheep aren\u2019t the equivalent of an advanced persistent threat (unless you frequently drive in the countryside of France), but it is a good example of risk or incident that you could reasonably predict and prepare for, since the tour takes cyclists up through the countryside.If improving the performance of your security organization is one of your top priorities, I hope you can join us at our upcoming Security Forum. If you can\u2019t, I hope you\u2019ll take the time to tell us about your priorities and toughest challenges and if they line up with what we\u2019re seeing from our clients and research.Save an additional $200 off the Early Bird rate when you register by August 6th with promo code SF10BLG.