A thoroughly crafted set of policies is absolutely essential, says Gillmor of the Center for Citizen Media. "If companies have a clear policy on what bloggers are not supposed to do, they can avoid a lot of the problems to start with," he says. But enforcement is important, too, says Josh Kessler, an analyst at Boston-based research firm TowerGroup Inc. "Your employees are an incredible threat to security because they have access to your data," he says. "Without appropriate efforts to control that, a policy means nothing. You really need some kind of enforcement." Vendors such as Covelight Systems Inc., Vontu Inc., SmartLine Inc. and others sell software that allows companies to tag important data so that it is constantly monitored, to ensure it never goes beyond the corporate firewall.

That's all fine and good. But when it comes to making Web 2.0 truly secure, experts agree the most important measure is to bake security into the applications themselves. "The first thing a CIO must do is make security a priority of the application development team," says Gartner's Williams. "There must be a stage in the development cycle where they validate the security of an application before they expose it." That means adding auditing and tracking capabilities into software so suspicious behavior can be monitored.

If a third-party vendor hosts your software, make sure their security practices are transparent. Consider doing SAS 70 audits, which were developed by the American Institute of Certified Public Accountants to give vendors a way to document security processes for compliance with regulations such as Sarbanes-Oxley. Though helpful, these audits only validate that controls are in place—they don't look for actual weaknesses. Companies will want to take it a step further, performing penetration assessments and other security tests on their own.

At Motorola Inc., based in Schaumberg, Ill., Chief Information Security Officer Bill Boni says Web 2.0 application developers go through a training program to ensure they understand their security responsibilities. "In the urge to produce quickly, there is an all-too natural tendency to just get it done, to prove the application does what it's supposed to do," Boni says. "Developers look at the use cases, but not the abuse cases." Boni's security team provides testing and verification of all Motorola's Web 2.0 applications. "You need to have trustworthy advisors, either inside or outside the organization, so you can have reasonable assurances that the platform not only performs, but also does not contain easily exploitable vulnerabilities," he says.

And it's important to get a handle on the security of these new Web 2.0 tools now, because the growing proliferation of wireless networks will only make things more complex. "Mobility increases the attack surface area of a company, and I think the combination of that and these new tools will require a lot of attention in the near term," says Boni.

However Web 2.0 develops, the need to consider security is more essential than ever before. "These new applications will help companies differentiate," says Williams. "But we don't want security to become something that inhibits innovation; we want security to be the reason why we can innovate."

Sidebar: Symantec's David Thompson on the Brave New World of Web 2.0