Lesson 1 for enterprise data protection: employees have to take ownership of security. InfoWorld’s blogging today from our Enterprise Data Protection (EDP) Forum in New York City. As InfoWorld has been reporting, companies have been struggling to protect their enterprise data from compromise by malicious (or sloppy) insiders, not to mention shadowy hackers. We’ve got some leading figures in enterprise security here sharing their thoughts, and offering some interesting opinions on the fast-evolving EDP space. One of the more interesting observations this morning came from keynote speaker Stephen Katz, president of Security Risk Solutions LLC and a former CISO of Citigroup, J.P. Morgan and Merill Lynch. Katz was talking about the changing role of the CISO and about the need for CISO’s to be security evangelists for their company and promoting security awareness among the rank and file. Why? you might ask — because improving the security IQ of ordinary employees can do a lot more to raise the security posture of a company than any mere security technology purchase. As an example, Katz noted that when Citigroup had some customer accounts compromised by a hacker in the 1990s, the compromise only came to light after a couple account reconciliation clerks noticed a pattern of funny transactions in accounts they managed. “They said ‘Our clients don’t do business this way. They don’t do these kinds of transactions,” Katz recalled. Through the efforts of the clerks, the issue was escalated within Citigroup and, eventually, the underlying hack was exposed. The moral: CISO’s need to make even rank and file employees understand why security is important to them and their customers, Katz said. More coverage of the EDP forum to come…! Security