Just as important as preaching accountability is practicing it. Lucenotes that even when companies write such accountability into theirpolicies, a lot of users don't pay attention. Senior management, hesays, is prone to letting offenses slide. He recalls performingsecurity audits at organizations with supposedly zero-tolerancepolicies that looked the other way when security breaches happened byaccident. That, he says, is asking for trouble. "Human nature saysyou'll get away with whatever the minimal amount of work is," saysLuce. "If you don't put something in place to force users to use realpasswords, then they won't."

Scare tactics are a controversial way to guarantee compliance. Luce isan admitted fan of using horror stories when he conducts audits. "I doquite often use scare tactics, usually with a newspaper article abouta lawsuit. That does a really good job on presidents and CEOs," hesays. Apgar of Providence Health Plans also uses such a strategy, butcautions against relying on it too often. "I use horror storiesjudiciously," he says. He worries that too many tales of security gonewrong could turn him into Chicken Little. But he says he's not averseto telling senior management stories that hit close to home, likebreaches that have happened in their own industry.

Bresler adds that he prefers to sanitize the story of something thatactually happened to Pacificorp and make it public. "These things dohappen and have resulted in dismissals," he says. Users who hear "thiscould happen to you" stories are more likely to take security policiesseriously.

In the end, technology can do a lot to protect precious corporateassets, but it can go only so far. The rest is up to the users. "Youcan have a really nice garage, but if there's no door on it, it's wideopen for a car thief," says Hughes. The harder the CSO works to makeusers the responsible stewards of corporate data, the safer a companywill ultimately be.