Information security is part of the multi-dimemsional responsibilities of management. It's the board's responsibility to make sure they do it effectively and economically.

There is no generic answer to "How much security do we need" - it is of course context based.
The more sensitive the information, the more security is needed. The more the information can be used to enrich someone (or destroy someone), then the more security is needed. The more the organisation is planning for major change, the more security is needed.

"Enough security" is when the information is suitably secure. What the definition of 'secure' is, is however open to definition. Some data systems are considered secure if they cannot be breached using tools valued at $200,000 for example. That implies that if someone has sufficient motivation, all systems can be breached, but such a system is "safe" from the "casual intruder".

Therefore each organisation needs to determine its own threshold of tolerance. Using external consultants to recommend what that is may be useful.