Employees are a company’s greatest strength “but also your greatest weakness.” People are “random access device,” acting in unpredictable ways, exposing a company to security dangers either by design or more likely carelessness or lack of foresight.

Cisco’s education program offers positive messages, says Burgess. The emphasis is not on schooling employees on what not to do, but how to respond effectively to certain situations. If an employee is confronted with a tailgater, i.e. someone who follows them into a secure area without using the appropriate pass, it is that employee’s responsibility to act appropriately and direct the tailgater to a security desk. Cisco developed a script that employees can follow if they find themselves in that situation so they are prepared and can diffuse any discomfort the situation might create.

Cisco also runs a rewards program for non-security employees that demonstrate security diligence. Cash rewards and plaques are handed out twice a year.

Security is a three-legged stool, says Burgess, made up of process, technology and people. Without strength in each of those areas, the stool will fall over.