re: How To Make Information Security Everyone's Problem
I think the cure is often, not always, worse than the disease in the case of IT security. Installing anti-virus software on PCs for instance. Good thing you have that anti-virus software on your PC, otherwise someone could install software that slows down your system and puts annoying pop-ups all over the place... which is exactly what the anti-virus software itself does to your system.
Think about the collective amount of time and money (money in form of productivity) that goes into something like 60-90 day password changes. It has to be in the billions across all companies. Not to mention that people need to store their passwords somewhere, like on a post it note, so they don't forget their many, constantly changing passwords... which, again, is more of a security vulnerability than not requiring forced changes in the first place.
I am not saying that people should drop IT security altogether, just that they should stop treating every end-point as if there is an army of hackers bound and determined to crack it. Often times people implement the most elaborate IT security measures under the sun to protect data which isn't of particular value to anyone.
A lot of IT security, if we are honest, is like putting your head under your desk in the case of a nuclear attack. If a talented hacker wants into, for instance, a Windows network, you are not going to be able to stop them regardless of your security standards.