At a recent client's (I do not want to identify them as this story is specific but I find it generally applicable) the development team were forced to update configuration files with security information (credentials etc.) of the production systems. This place, like many, totally understood that giving the developers of software details of the production environment was not a good practice and was against their own security rules (the term "in breach" was used). The team whose responsibility it was to deploy and configure software in all non-development environments refused to take up the configuration of a new system. The claim was that they did not have time to learn how to do it. It eventually got into production and the development team was still being emailed server names, security principal credentials, etc. I raised the concern that, although the individuals being given the details were completely trustworthy, a key security principle was being deliberately ignored.

I think that it will take at least one high profile case where senior members of staff are actually held to account by a court of law (instead of it being an empty threat) for any cultural change to occur. I think we need an Enron moment; we have the equivalent of Sarbanes-Oxley (regulation) but what we don't have is a precedent of punishment for non-compliance.

Don't get me wrong; I do not want to see people go to jail but I do want well known best practices applied and the employment of them actively supported by the appropriate management.