The first question is what do you have at risk, what value is it to the organization and thus what do you need to do, that doesn't exceed the value of the assets you are trying to protect, in order to properly protect them.

There's a huge difference between protecting the payroll records of a couple of hundred employees and protecting the SSN's and CC numbers of a few thousand members of the general public.