That's why Intel adopted the mantra "protect to enable" three years ago. Rather than focusing primarily on locking down assets, the information security group aims to enable business goals "while applying a reasonable level of protection," Harkins says. To do this, IT needs three things: an adequate level of understanding of the business side's situation and needs, input from both technical and business professionals on the risks and rewards of a given security decision, and a clear channel of communication among all levels and units of the business.
In 2009, Intel's IT department partnered with the company's legal and human resources groups to define security and usage policies for a new bring-your-own-device program. The company began allowing access to corporate email and calendars from employee-owned smartphones in January of 2010, Harkins says. The initiative has been successful in keeping corporate data safe while allowing employees to use their own devices for work. And as new devices come on board, the company continues to define new security and use policies.
4. Share Your Company's Hack History
Although controversial, sharing -- in confidence, of course -- the number and nature of attempted hacks on your company's systems can be a strong motivator toward security compliance, Peeler says. "People don't really understand how often a company's own systems are under attack," she points out.
Harkins agrees. Security leaders, he says, "have got to show data, and relate it to the business goals" and then they have to show how progress toward achieving those goals will be affected if ongoing incidents are not addressed. "The more your predictions start to come true," he adds, "[the more] you're demonstrating that you know what you're doing and that you're not trying to impede the business -- you're trying to help the business."
Intel has found ways to put breach data to good use without sharing too much confidential information. For instance, Harkins says, "we had an employee who stole intellectual property from us a few years ago and was convicted earlier this year. We posted to all employees the story of what happened, how we found out, and reminded everyone of the expectations we have of them."
Intel also posts its lost or stolen laptop rates and shares mistakes made by employees, such as posting information to a social site, and describes the risk that created for the company. "But we don't share who did it or other details that would embarrass or create issues for the employee," Harkins clarifies.