When Apgar learned that users in his organization had broken two ofthe cardinal rules of health-care security--don't fax screen printsfrom claims, and don't use the system to look up your owninformation--he went to the appropriate department managers and helpedthem decide how to educate their staff. Pacificorp's Bresler followsthe same advice. He and his security colleagues expect middlemanagement to accept the bulk of responsibility for enforcing securitypolicies. "In an organization of our size [8,000 users], we're notgoing to micromanage down to the end users," he adds.

Bresler says that managers should also be responsible for enforcingthe rules related to wireless security. "Business managers want theirusers to be productive but don't consider the risks associated withthat," he says. For one thing, Bresler says, it's rare for businessmanagers to communicate to users the dangers of connecting a laptopholding sensitive data to a hotel LAN. "Wireless is convenient, cheapand handy," adds Morse. "Unfortunately people want the quick fix, andthey take it out of the box and they go through the quick start guide.They don't turn on access passwords or the encryption." It's possibleto make wireless devices much more secure, he says, but it involvessome extra work on the part of the users.

Delegating accountability to your users is also key to a securitypolicy's success. If "it will never happen here" takes first place asthe CSO's least favorite sentiment, "a security breach won't reallyaffect me" comes in a close second. "A lot of people don't understandthe implications of what the information could do outside of theirhands," says Luce. Once users comprehend the importance of the datathey safeguard, they should know that failure to comply with securitypolicies could mean a big fat black mark on their record. After all,most users are more interested in their personal interests than thoseof the company. If users know that their personal well-being is atrisk, they will start to think about corporate security in a whole newlight.

"Some companies have updated their packets, and there are wholesections saying, 'You will maintain proper passwords or you'll befired, or liable, or both," says Razorpoint's Morse. Pacificorp'sBresler thinks a "three strikes and you're out" policy is ideal.

To that end, security experts say, it's critical to work closely withthe human resources department. Forging a strong link can buildvaluable and necessary support, says Hughes, and will guaranteefollow-through if breaches occur. "IT and HR must work in concert withthe COO or GM to make sure people understand these policies andprocedures," says Hughes of Data Security Auditors. "Have a luncheonor seminar or a new-employee orientation where the security policy ispart of it. Have employees sign it, and make sure they know they'reaccountable. If they do something that costs the company money, that'sgrounds for termination."