Shrdlu writes an interesting post on how to explain to non-security people what it means to be secure. Three basic rules:

  1. Have control over your systems.
  2. Check your security frequently.
  3. Educate all your people.

This is an excellent summary.

Information security is about ensuring trust in data and data
processing. Trust is sometimes defined as "performing as previously
expected", and in order to be able to keep or attain a certain level of
"living up to expectation", control is absolutely required.

2 is a little harder; if security requires checking security, we might
have a circular reference that needs to be bootstrapped.

Rule 3
is another good one; if trust is indeed "performing as expected",
people need to know what they can expect (and cannot expect), but they
also need to know what is expected of them.  I would probably rewrite
these basic rules to

  1. Have control over data and systems
  2. Educate all users
  3. Independently assess the effectiveness of rule 1 and 2 regularly