A recent study has a finding that defies reason: close to half of 154 smokers who had surgery to remove early stage lung cancer picked up a cigarette again within 12 months of their operation, and more than one-third were smoking at the one year mark.In fact, 60% of patients who started smoking again did so within two months of surgery. The study, led by researchers at Washington University School of Medicine and published in Cancer Epidemiology, Biomarkers & Prevention confirmed that addictive behaviors are not easily changed.The study's lead author, Mark Walker, Ph.D., a clinical psychologist and Assistant Professor of Medicine at Washington University, summed it up best when he noted, "Patients are all addicted, so you cannot assume they will easily change their behavior simply because they have dodged this particular bullet." He concludes that their choices are driven by insidious addictive cravings for nicotine.In the world of IT, far too many organizations are addicted not to something as tangible as a cigarette, but instead to insecurity. While smokers' actions are driven by cravings for nicotine despite the health hazards, information technology's actions are driven by users' desire for easy access to data, usability, and quick deployment, with a disregard for confidentiality, integrity and availability of that data. These organizations typically know the risk of giving short shrift to security (many have even been bitten by data breaches and malware outbreaks), yet continue with their insecure ways despite clear evidence of its hazards. While we are decades into the IT revolution, too many companies are still not following computer security fundamentals. While each passing year brings greater and fancier security and privacy tools and technologies, not much has changed about how many organizations approach information security. In fact, Forbes noted that during 2008, banks have lost more of their customers' personal data than ever before. Based on this trend, and in light of deteriorating economic conditions, by the time the 2009 security year-in-review articles are written, there is every likelihood that this year will be the worst year on record for information security and privacy.Getting your organization to change its addiction to insecurity won't be easy. It is thought that addictive activities produce beta-endorphins in the brain, which gives the person a feeling of being high. Yet the highs of insecurity can include legal issues, regulatory penalties, negative PR, and much more. In order for enterprises to make those changes to a secure environment, they need to start by executing in the following areas.TimeAt the macro level, becoming secure takes time. While security vendors will hype appliances that will be up and running in minutes and other security pixie dust, the reality is that creating a secure culture and infrastructure takes time. How much time will it take? Think years, not months. Sort of like the amount of effort it takes to stop smoking. While some can quick cold turkey; the vast majority of people require multiple efforts, with numerous resources, over many year.Many organizations have been insecure for decades or more. Cleaning up such a mess can't happen overnight. Organizations need to think of the big picture over the long-term. Security and privacy are long-term processes that require TLC to do correctly. Some items are quick-kills, but overall, security can't be rushed.The Need for a CISOAn effective CISO is responsible for strategic planning, skilled negotiating and practical problem solving around not just information security, but also privacy and risk management. The CISO is more than simply the corporate security guru. Only an individual with strong business savvy and security knowledge can effectively oversee security planning, implement policies and select measures appropriate to business requirements. A good CISO should have a deep understanding of technology, combined with an understanding of the organization's functions, politics and business drivers.A perfect example of a good CISO is one who realizes the imperative in today's environment to secure business applications. Until recently, security was all about securing the perimeter. Now, the perimeter has collapsed and in some enterprises, completely disappeared. Consequently, it is crucial to secure the application.The most recent Symantec Internet Security Threat Report notes that over 60% of today's threats target applications. Far too many organizations still focus on the infrastructure and spend a disproportionately small amount of time and resources on application security.If you are a new CISO, an excellent guide to use is Gartner's The New CISO's Crucial First 100 Days. The report notes that a new CISO must make the most of this critical period, because it represents the first - and sometimes the last - opportunity to set the enterprise's security processes and technologies on an effective course.The bottom line is that unless an company has an effective CISO who oversees, manages and enforces IT security, and who has a seat at the boardroom table, the organization will suffer data breaches and outages, and become a magnet for attacks. Risk ManagementIt is imperative that your security program be based on an effective risk management program. Who poses a greater threat to your organization: a hacker from Estonia or the temporary CPA in the branch office? Unless you have a comprehensive risk management program based on the identification, analysis, mitigation and monitoring of your risks, you will never know the correct answer. And if you don't know that, you will likely be mitigating against non-existent risks.Khalid Kark of Forrester Research astutely notes that true risk management has little to do with technology; it's all about ensuring a rigorous process for consistently identifying, measuring, and reporting your organization's information risks, as well as having regular interactions with business to calibrate the organization's appetite for risk.Ground TroopsWar is often started from the air, but the dirty work is fought on the ground. Security products are like the Air Force, sleek and powerful. But for information security to work, you need ground troops, i.e., security Marines (otherwise known as the grunts from your security engineering department).Not only are security engineers invaluable, they are the difference between ensuring that security works and having security hardware and software just doing stuff. The single biggest mistake companies make is expecting security products to solve their security problems in the absence of a good security staff.Policies, Procedures and AwarenessSecurity policies are quite simple\u2014they define the aims and goals of security to the business. The follow-on to policies are security procedures. Effective procedures (often known as SOP\u2014Standard Operating Procedures) ensure that your Chicago firewall administrator, for example, builds and configures a corporate firewall in the same manner as his colleague in Tokyo.Organizations that take the time and effort to create formal information security SOPs demonstrate their commitment to security. By creating SOPs, their costs are drastically lowered (greater ROI), and their level of security is drastically increased.The aviation industry is a good example of an industry that lives and dies (literally) via their SOPs. SOPs are built into job requirements and regulations. Today's airplanes are far too complex to maintain and operate without SOPs Information security might not be as complex as a Boeing 777, but it still requires appropriate SOPs.Security awareness is also essential as information security and associated risks are not intuitive to the average end-user. Awareness is really important in that it develops a first line of defense for the organization. A mistake many CISOs make is that they treat security awareness as a one-size-fits-all program. Different people in your organization need to be trained differently. It is imperative that your awareness program reflect this. Don't use generic templates.Conclusionsthe recent breach at Heartland Payment Systems demonstrates that insecure systems hurts everyone; from the CEO, whose job may be on the line, to the consumer, who has to deal with the effects of the breach.While computer security is a challenge, insecurity is far too hazardous for any organization to deal with. The fact that tens of millions of credit and debit cards can be compromised, such as Every security breach is a wake-up call, which too many organizations respond to by pressing the snooze button. It's 2009 and organizations must start to heed the plethora of security wake-up calls. If not, the result will be the predictable, just like the outcome of any addictive behavior.Ben Rothke CISSP, QSA (firstname.lastname@example.org) is a Security Consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill Professional Education) (McGraw-Hill).