Probably the simplest answer is that physical security should match and complement your computer software and hardware security effort. Now the hard part of this for most of us is that IDS, etc. is just plain fun!! I have a lot of security stuff on the computer side that the sensitivity and value of our systems really doesn't need, because it's pretty cheap and I enjoy fooling around with it. However, even our relatively pedestrian systems need some physical protection. (By the way, don't forget to provide appropriate physical security for critical backups !!!)

First, some background. Our office space has an intrusion alarm system that is activated when no one is here. We would have that even if there were no computers, since there is other valuable equipment here whose loss would more than offset the price ADT charges.

We have a number of offices with $1k to $2k sets of desktop and protable PCs, along with some scanners, printers, etc. that have an outside window accessable from ground level. I was able to add some glass-break sensors to the alarm system in those offices at minimal monthly charge to warn (but not prevent, of course) of a "smash-and-grab. I also made sure that the hallways approaching critical offices, such as server locations, have motion detectors. I also set a company policy that blinds must be closed when the offices are vacant to make it harder to target particular computers.

My servers are in locked rooms with true ceilings and solid doors, but no special wall construction. Keys are numbered and controlled. I use a regular office space, rather than a steel box, etc. to allow the office HVAC to mitigate heat buildup.

All this was of very minimal extra cost, since we configured for security when the office space was initially remodeled. While I know that a determined person could get in a steal a lot of stuff before the police response occurs, I think that the resources expended on security have been commensurate with the value of the computer systems and our need for availability -- we can tolerate a day or two of down time if need be while computers are replaced and data restored.

The right mix for others will vary, but the key is balance with regard to the expense of security vs. the need for systems and data. In some cases, the replacement cost of the systems is minimal compared to the impact of reduction in service for the time required for replacement. In other cases, such as ours, the cost of physical security has to be less than the cost of unscheduled replacement, since we can tolerate the loss in services that replacement entails.