Brown: Security starts with the end user--that, by far, is the weakest link, with the proliferation of passwords and end users not educated about what makes a computer and network secure. So to get on their radar, I would focus on leveraging automated or long-distance training through quick, five-minute webinars or infomercials, with one or two key bullets of, "This is what we're talking about this week. Let's do this thing really well next month." It could be about passwords, secure use of wireless, paying attention to who you friend on Facebook, thinking before you double-click on that attachment and what to do if you think something is fishy.
Information security isn't 100 people--it's three, four, five, 15 key people in the organization. You need to think about how to leverage their expertise, get them in front of the end users in an enticing way so you're not offending but embracing them.
Blake: Security professionals tend to gravitate toward a cartoonish vision of end users--that they're not competent or they don't understand technology. But that's not true--they do understand the need for security, but they chafe against it when they don't see the value or can't do something they want. It's more of an education issue than anything else.
Users have a desire to do the right thing. They don't want to put the company at risk, but they need to get their job done, and that's their first priority. So security professionals need to make sure things are as easy as they could possibly be--not because it improves compliance, but because it improves users' ability to do the right thing, which is what they already want to do.
The discussion needs to be, "Here's how you can do what you need to do in the right way." It's not, "Don't send confidential information in an email," but, "Here's how you can communicate that information in a secure manner."
On balancing risk and cost:
Hartmann: Business isn't black-and-white. You need to strike a balance between what's required to protect the business and running the business in a cost-effective way.
A perfect example is how, after 9/11, disaster recovery and business continuity planning got a whole new focus, and many companies learned from those discussions about the balance between running a business and thinking about the many issues they could face that we didn't think about before. Many companies have made disaster recovery planning an annual part of their risk assessment, while for professionals involved in this type of work, it's part of their daily responsibility.