At Providence Health Plans, Apgar strives to take a positive approachto get his users' attention focused on security procedures. "Insteadof saying, You have all this stuff you need to do, we say, We do 80percent of this already, and we just need to do it better." And, heinsists, trust is a key ingredient to a secure organization. "If youtrust people to be honest and professional, 90 percent will be," hesays. "If you expect the opposite, that becomes a self-fulfillingprophecy."

Since security is not top of mind for the typical user, securityexecutives must also emphasize the rules stated in the policyregularly. "It's an educational process, and it's repetitive," saysLuce. This repetition becomes particularly important when thecompany's policies change. "Once everyone is trained, you have to haveeveryone sign off on [the policy] every year," says Hughes. "Give theman updated version, educate them on what the changes are, and havethem sign something saying they agree to comply."

Any method will work--as long as the education takes place. Forexample, a security officer at a large food manufacturer says hisdepartment publishes frequent security bulletins with reminders aboutkeeping passwords safe and cleaning sensitive data off machines. Thecompany then distributes hard copies to everyone because employees aremore likely to read paper than they are to read e-mails, he says. AtProvidence Health Plans, Apgar varies his approach. "We do trainingperiodically," he says. "We keep the lines open, combining a number ofdifferent approaches, from formal training to an informational stop inthe hall. We're taking it a little bit at a time." At Pacificorp,Bresler and his team conduct walk-throughs at individual desktops,performing surprise audits and reminding users of the rules.

Step Three: Enforce the Policy

While a company's security team is ultimately responsible forgenerating security policies, some of the onus for enforcing themshould fall on department managers. In the health-care industry, forexample, Apgar has learned that good security means performing abalancing act between giving people enough information to do their joband keeping privacy intact. One of the keys to that, he says, iskeeping the lines of communication open with department heads so thatif breaches occur, management can play a role in repairing them.