The folks at Altiris, acquired earlier this year by Symantec, recently invited me back to their ManageFusion user conference to participate in a panel discussion about security.

The other panel members included my old friend David Strom from magazines past, Andi Mann, research director at Enterprise Management Associates, and John Sawyer, part of the University of Florida IT Security Team (Sawyer wrote about our discussion here). Steve Brown from Altiris drew short straw and had to keep us all focused.

We had time to prepare for the first question, which was to name the biggest internal security threat. Strom and Mann focused on portable devices, with Strom holding up his laptop and asking the audience, "Who knows where this has been? Do you want it on your network?" (Or something like that -- I thought it would look funny to take notes during the panel so I don't have his exact quote.)

Sawyer's primary concern, users, made everyone in the audience nod in agreement. Can you imagine trying to keep thousands of students on your network out of trouble?

My concern? Executives, and I listed four reasons. First, executives feel they make rules, not follow them. Every security tech has stories about executives with "password" as their password and more anecdotes showing even less security awareness.

Second, executives carry too much information on portable devices (like Strom's laptop), don't secure them properly and lose them too often. When a Human Resources clerk loses a laptop, the data inside won't hurt much. But when an HR executive loses a laptop, thousands of employee records get lost.

Third, executives take all your secrets with them when they change jobs. Of course, they brought secrets from their old jobs to their current one, so maybe that washes out.

Finally, executives talk too much. If you want to know what your main competitor is doing, you can launch a huge business intelligence program, or you can pretend to hire their vice president of sales. During the interview they'll spill their guts. After the interview, they'll repeat all the same details in a bar or restaurant talking to their friends. Either way, secrets leak.

There you have it: portable devices aren't secure, executives don't follow security rules, and when they lose their PDAs and laptops, bad things get worse. These issues frighten big companies. Should smaller companies be scared to death?