Network equipment supplier Cisco told the ISSA conference that creating a security culture is a more important factor in protecting an organisation from cyber attacks than earmarking a specific budget for IT security.
Paul King, senior security advisor at Cisco, said the company had created a culture, from the CEO down. "Security is mandatory: there are no exceptions."
The policy means Cisco has shied away from having a specific security budget, regarding security in the same light as any other business investment.
"There is no security budget. If you have a problem, do you fix it with a budget, or do you just fix it?" said King.
The firm has made security a board-level responsibility. The CEO is responsible for safeguarding against reputational risks, including damage to reputation caused by computer crime.
Cisco's CIO is responsible for protecting the firm against denial of service attacks, viruses and configuration mistakes, which could damage productivity.
The CFO is responsible for protection against financial loss, including theft of data by hackers.
This approach has helped to spread a security culture throughout Cisco, said King. The company does not restrict staff, but expects them to follow best practice. "All Cisco employees have laptops and can do anything with them. We have no usage controls. But we do have a code of conduct you sign every year, about acceptable use," he said.