4. Share Your Company's Hack History
Although controversial, sharing -- in confidence, of course -- the number and nature of attempted hacks on your company's systems can be a strong motivator toward security compliance, Peeler says. "People don't really understand how often a company's own systems are under attack," she points out.
Harkins agrees. Security leaders, he says, "have got to show data, and relate it to the business goals" and then they have to show how progress toward achieving those goals will be affected if ongoing incidents are not addressed. "The more your predictions start to come true," he adds, "[the more] you're demonstrating that you know what you're doing and that you're not trying to impede the business -- you're trying to help the business."
Intel has found ways to put breach data to good use without sharing too much confidential information. For instance, Harkins says, "we had an employee who stole intellectual property from us a few years ago and was convicted earlier this year. We posted to all employees the story of what happened, how we found out, and reminded everyone of the expectations we have of them."
Intel also posts its lost or stolen laptop rates and shares mistakes made by employees, such as posting information to a social site, and describes the risk that created for the company. "But we don't share who did it or other details that would embarrass or create issues for the employee," Harkins clarifies.
Others have mixed feelings about such tactics. Mankovich says sharing information about breaches "bears consideration," but he worries that any shared information could jump the fence to the outside world. "My first reaction is that, with 124,000 employees in 60 countries, we couldn't avoid it going public," Mankovich says. "We must consider the downside of providing the bad guys with attack intelligence. That in itself might increase risk."
Ultimately, convincing employees to remain vigilant is a job shared by both IT and the business. "We really have to understand how the workforce is changing, how are we changing the workforce, and how the expectations of people who use our products or partner with us are changing," Mankovich sums up. "The job is endless, but it's exciting."
This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.
Read more about security in Computerworld's Security Topic Center.
Sign up for CIO Asia eNewsletters.