"It's not going to matter what kind of policy I build if I can't educate the users -- in layman's terms -- about what it means to them and why they should do it," Elliot says. "If I can explain how their shut down each night of PCs, or using certain log-in processes helps the business and that it's not just about making their jobs more difficult, I can make policies part of the way they do things."

Such thinking is critical to success, says Brad Johnson, vice president of consulting at SystemExperts, a consultancy specializing in network security. He says there are elements of people's jobs that can change to support security measures and others that cannot, depending on the organization, and security policy makers need to find the balance between best practices and pragmatic workflows.

"Successful security measures originate as a business concept from the top that permeates down into how people can change the way they work to better enhance data privacy and resource protection," Johnson says. "It can't be about the security manager acting as police officer, but rather as an advocate for a consistent security posture across departments which, it could be argued, enables faster application deployment time and streamlined operations."

And don't underestimate human nature when communicating the importance of keeping in line with security policies. Security managers can cite embarrassing public incidents to reinforce why a corporate population needs to fall in line.

In America alone, according to Privacy Rights Clearinghouse reports, more than 53 million citizens' personal information has been compromised since February 2005, and Forrester says, "Most of these breaches occurred at companies that are household names, such as Bank of America, Time Warner and Ford." According to the National Fraud survey, internal security attacks cost US businesses an average of 6 percent of their gross annual revenue.

"No one typical user, omitting those that take part in malicious activities, wants to be the person that compromised [private] data and put the organization in jeopardy," says Ron Uno, manager of information management (and essentially acting CIO) at a health care company.

Uno meets every two months with other business unit leaders to reinforce and maintain awareness of established or updated security practices. He says recent public events -- such as employees bringing a disk or laptop loaded with critical data home -- keep the importance of security best practices fresh in managers' minds. In the face of intentional breaches, Uno says action should be swift and definitive -- yet also discreet to avoid public perception problems -- to reiterate to the corporate community not to trifle with the established security culture.

"Security policies need to have teeth, and those who break the policies need to know and endure the consequences," Uno says. "If you educate the entire employee base about the risks, the punishment and how the company could suffer, then as a security leader you have an army of people keeping their eyes and ears open and watching out that security policies are followed."

While regulatory compliance and very public breaches may have spurred many organizations' push to establish and enforce consistent security practices, it cannot remain the primary driver for an advanced security culture. For Kirkwood, his three-to-five year strategic plan for enterprise risk management at American Express includes tactical milestones to keep business units motivated within the security mind-set.

You can't put security measures in place only because regulations require them, he says. "You have to have an enterprise risk management culture that security best practices and other IT and business initiatives feed into organically.