Without a doubt, the employee is often the weakest link in thesecurity chain. "People think, It's just data; it's not reallyimportant," says Thomas Luce, former CSO of Rochester Health CareInformation (RHI) Group and now an independent security consultant."They don't understand the damage they could do, especially inhealth-care and financial services companies."

And so a solid recipe for a truly effective security strategy needs toinclude two parts common sense--and a certain amount of changemanagement. "Security is not simply a piece of technology," saysApgar. "It's a culture and a process and a procedure and anindoctrination."

"An organization's technology is only as strong as the people behindit," adds Roger Hughes, president of Data Security Auditors, anindependent auditor. "Systems and processes are built by employees."Which makes it imperative that you work to change the thinking in yourorganization from "Nothing bad will happen here" to "If I share mypassword, this can happen," or "If I leave an area unsecured, that canhappen."

The biggest challenge facing the security industry is knowing how totransform an organization's users from its biggest vulnerability intothe first line of defense. The bad news is that it's not going to beeasy. The good news is that it's not going to be impossible. Here arethree steps to get started.

Step One: Develop a Written Security Policy