Second is policy. It amazes me how many organisations still don't have a competent security policy. There is no way that we can secure the network without some roadmaps. These are our policies.
Finally, there are tools. If organisations lack strong awareness at all levels, and appropriate policies from which to derive such things as access control, need-to-know versus need-to-share, security tools won't help much.
Unfortunately, the cost is increasing. It's high if we implement the three security areas and even higher if we don't. That cost goes beyond the security budget. In the US, it could be heavy personal fines for the boss or even prison.
As it happens, awareness and policy are minimal costs. Our challenge is getting that point across. We often get lip service without real support, and see the "tick-in-the-box" syndrome where the organisation undergoes the minimum preparation for an audit.
The idea is if all the audit checklist boxes are ticked off, there's no upstream liability, as when someone is hired just long enough to produce the Sarbanes-Oxley documentation a company needs, which I have seen happen. This is so short-sighted. What happens if the worst occurs and, as a result of shoddy security, huge, expensive data loss occurs? It's all part of the cost and we must pay it. And that message needs to be delivered to the boardroom.