Enterprise security executives need to make practices such as safe USB use and discreet handling of patient or customer data as commonplace as not accepting luggage from strangers in airports or wearing a seat belt when driving.

But they can't do it alone; it takes an entire organization to secure corporate assets, protect data from breaches and make sure enterprise-wide risk remains low.

"Security is everyone's responsibility," says John Kirkwood, vice president of Information Security Strategy at American Express, who spoke recently at a seminar hosted by risk-management company Consul. Kirkwood, formerly chief information security officer at the financial services giant, says his role has evolved from security policy maker to enterprise risk-management evangelist. "Security has gone from being a server room concern to a boardroom type of issue," he says.

Part of the reason companies need to reprogram IT organizations, business managers and employees to approach security as a way of life is that so many breaches are the result of insider mistakes. According to the 2005 Computer Security Institute/FBI survey, the number of security events originating within an organization is equal to those propagated by external sources. Privileged users, who have more access than typical users, perpetrate 43.5 percent of those inside security events.

"Security has evolved beyond a centralized team, and it has evolved beyond networks, systems, applications and databases," says Paul Stamp, a senior analyst at Forrester Research. "Security can no longer exist in its stand-alone, enforcer function. It must exist as part of what everyone does, and it has to be created using a two-way flow of information between policy makers and business users."

Business unit unity

To establish a security culture within a company, a logical first step is for security managers to work with other IT departments, as well as business managers from human resources and legal, and then spread the word through awareness and training programs to the entire company population. The responsibility for security moves from a technical, protection role to one that could be seen as enabling the business to function more efficiently and with less worry, industry watchers say.

"Many business units can be hesitant to bring in security, because in the past it has required them to do more work for additional costs and really impeded how they operated," says Khalid Kark, a senior analyst with Forrester Research. "Security advocates have to educate the organization to incorporate security from the beginning of every project that comes along, because it is much more costly to retrofit."

Kark says security policymakers must build or adapt security practices around the way business units actually use systems and applications, rather than forcing a process or policy onto them.

"If you don't talk to application users, you are going to build policies that will be broken right out of the box," says Cory Elliot, IT director at Basic Energy Services. Elliot is working with the chief financial officer of the oil and gas services company to assess the entire company structure, establish a security framework and fill gaps in security policies. He says he realized early that without upper management support and user buy-in the security practice project would be dead in the water.