There is no shortage of people who are prepared to offer you gentle, painless, platitude-filled advice about what you should do to help improve your organization's computer security posture and minimize opportunities for someone to make off with your hard-earned corporate treasure. What’s decidedly lacking in the security business is “tough love.” Let’s be honest: you don’t care about security as much as you care about "real work" and that’s OK…until a security issue is exploited and consequently there won’t be any more real work because you're bankrupt. So if you're ready for a little R. Lee Ermey-fication: Focus on Business. Are you in the sports business? No? Then why do you let people surf ESPN.com? Seemingly benign surfing on company time seems like a small thing given the boost in morale it supposedly gives people in between revenue-generating tasks, but by allowing any more than essential traffic or online activities you are inviting trouble. Action: Don’t let anyone do “fun” stuff online at work, but let them go home once they’re tasks are done. People can still goof-off online: on their own time. You’ll probably learn a lot more about your company and ways it can grow when people leave when work is done, not because the clock displays an arbitrary time.
Walk the Walk. If you've decided that computer security is a priority back up your public pronouncement with concrete and public action. It doesn't matter what size or type of business you’re in, everyone who works for you takes their cues from what you do, not what you say. If you say “computer security is a priority” but don’t change policies, fix vulnerabilities, increase the security budget, upgrade your talent, etc. no one is going to take you seriously.
Action: Make security a permanent meeting agenda item not something you address at the end as everyone is standing up to leave. Make sure security a part of every business decision, not an afterthought. Demand performance (security is a cost center after all), but also provide resources and top-cover just like any other aspect of your business that is important to you.
Go Retro: All that technology your business uses in its operations works just as well for the bad guys once they’re inside. Think of some process in your business that is completely automated; now think about how an attacker could leverage that same processes to exploit you.
Action: Replace one task that is carried out in cyber-space with a task that must be completed in meat-space. Maybe you've added a few minutes to the process, but you’ve also made it more difficult for an outsider to disrupt your operations via purely technical means.
Make It Rate-able. People only care about things if they’re evaluated on those things. Do you base bonuses on how many more widgets above a minimum people make? Are you surprised your people pull all kinds of weird and even unsafe tricks to increase their widget output?
Action: Tie rewards and/or advancements to how well people follow security policy. Reward people on-the-spot who point out security problems or make smart decisions when faced with a security challenge. Watch how much people suddenly care about doing the right thing when you invoke the power of the Benjamins.
Fire Someone. If you truly believe that computer security should be a priority in your company then you should treat egregious and/or repeated violations of security policy as you would any other policy related to the viability of your business. Nothing gets people’s attention like watching Alice or Bob do their best Chuck Connors impression.
Action: Work with HR to build a legal, supportable policy designed to either put violators on the right track, and if they can't comply, show them the door.
You’re probably not going to any of these things, or if you do it will be in a form that isn't nearly as severe as what I propose. But whatever you end up doing, make sure you review it on a regular basis for efficacy. Nothing says you really don’t care about security more than doing the same thing year in and year out and wondering why you still keep getting owned.