Selling others on a new topic will only occur if they have something to gain or something to lose. You will have to spell out the value of information security in business terms that managers can relate to. It will take some time and effort, but by talking about the issues the business is facing from a business risk perspective, demonstrating how things like compliance can be used in positive ways for competitive differentiation, and by getting the right people on your side, eventually the word will get out. It will then work its way around and eventually be pushed up to the level it needs to be for positive changes to occur.
Managers: know that your employees are watching and can be influenced by your choices on how information risks are handled. You will never be able to convince everyone to do the right thing and you certainly won't be able to control their actions all the time. But if you make choices and set good examples with long-term perspective, your leadership will shine through, you will start a culture shift and get the majority of your people on board doing what's right. Sounds like a good long-term business plan to me.
Kevin Beaver is an independent information security consultant, author, professional speaker and expert witness with Atlanta-based Principle Logic LLC, where he specializes in performing independent information security assessments in support of risk management and compliance. He has authored/co-authored eight books on information security including the new "Hacking for Dummies, 3rd edition" and the forthcoming second edition of "The Practical Guide to HIPAA Privacy and Security Compliance." He is also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin and link to his blog and Twitter account through his Website, www.principlelogic.com.