Also, there should be checks and balances in place that minimize the damage that one IT employee could do. One person might be in charge of changing files, another in charge of changing the network fabric and a third in charge of modifying payroll records. "Most big computer systems have a log-in that might be in a generic way described as the superuser," says Daniel Geer, CTO of managed security company @Stake in Cambridge, Mass. "If I gain the superuser power and I should not have it, the question is, How far does it extend? I'd rather not have the power to change the company invested in one person--not because I don't trust that person, but because if their credentials are stolen, that is an uncontainable risk."

2 Build Security from the Inside Out

These access controls are only the first step toward a decreasing emphasis on what's known as perimeter protection--security's equivalent of the moat around a castle. Surprisingly, more than half of companies that responded to one CIO survey last year don't have critical information restricted to a confined area, separate from other information that requires less security. In other words, once anintruder gets over the moat, he won't even need to pick a lock to get the crown jewels. "Some corporations run hard on the outside and soft on the inside: Once you get in, you have free access," says LarryBickner, vice president and information security officer at Nasdaq in New York City.

To protect its trading floor, Nasdaq takes the opposite approach, and one that experts recommend: progressive hardening from the inside out. "We break our world into various trust zones, and we control who's within that zone or space," Bickner says. "I don't have access to human resources servers or systems. It's not part of my job. We have a completely different trust space for the market system, and where those overlap, we control those connections very strictly.... Even if one layer isn't set correctly, the other layers compensate. That layering gives you hardening. Our architecture is hardened to the point that when you're on the inside, it's not much easier to get at things, frankly, from being on the outside."

3 Make Security Part of the Culture

Another key element is establishing a culture that values security.That helps keep the honest people honest and makes it easier to deal with people who cross the line. At George Washington University in Washington, D.C., the CIO and his information security officer, Krizi Trivisani, have made computer security part of the university's code of conduct that students, faculty and staff have to read and sign once a year. "Policy is a great vehicle," says CIO Dave Swartz. "Of course, you have to be ready to enforce the policy, and that's the problem. What's the hammer?" Swartz's department forwards people who break security policies (including students who try to test hacke rtechniques they've learned in class) to the appropriate disciplinary organization, but they prefer to focus on prevention. The IT department hosts regular security forums and invites members of the legal department, compliance office, and audit, policy and student groups. "Education and awareness is a very powerful tool," Swartz says.

CIOs who decide to implement stricter policies for employees should be doubly sensitive to educating users about reasons for the changes. "This is a classic situation where what your culture is and what you've done in the past lays a foundation for future efforts," says Mitchell Marks, an organizational psychologist in San Francisco. "If you don't explain why you are [increasing security], then people will talk about it at the coffee machine, fill in the information voids with perceptions that are probably more negative than reality [and conclude]: Leadership doesn't trust us."