Before even looking at AC you should look at Secrets and Lies: Digital Security in a Networked World (ISBN 0471453803). Whereas AC explains on a technical level what crypto is and how algorithms work, S&L gives an overview (not quite drool-proof paper marketing glossies level, but comprehensible even by CTOs :) over why it's hard to get it right and why "security" isn't just a simple checkbox on a form that you tick once you put some form of crypto in front of / around / beside your application.