ATLANTA - The focus of network security should shift from securing infrastructure to securing data, and that requires extraordinary marketing measures by IT security staff, according to speakers at the Forrester Research Security Conference Thursday.

"The focus should be we need to protect data vs. secure the infrastructure," says Paul Stamp, an analyst for Forrester.

That is such an important issue for Diageo - the parent company for Smirnoff, Guinness, Bailey's and other brands of alcoholic beverages - that the company has sophisticated, internal marketing videos to promote data security, says Claudia Natanson, the company's CISO who spoke at the conference.

In addition the company sponsors educational sessions tailored to the regional culture of the branch that is being trained, Natanson says. For instance, in Jamaica, where the company owns the Red Stripe beer brand, seminars held at beach parties with boom-box music while U.K. workers respond better to a county fair atmosphere where workers walk from booth to booth for briefings, she says.

And prizes work. "We're not averse to giving away iPods if you can recite key areas of a policy. "Our team says we are the corruption and bribery team."

Publicized security breaches can damage corporate brands, she says, so it is important to prevent them. Since some of these breaches can be caused by workers' failure to appreciate security, it is imperative to get them on board with policies, she says.

Stamp says that business units must accept responsibility for the security of the data they generate and control to head off data leaks. "IT people are data custodians, not owners," Stamp says. "We need to transfer responsibility to business people."

To do that, business departments such as finance, marketing and human resources have to perceive IT security as enabling their jobs not as a roadblock preventing them from using potentially productive IT tools, says Natanson.

She suggests meeting with heads of business departments and listening to their biggest business priorities first and then presenting security as an important element they should incorporate in new projects as they develop them. These meetings should be ongoing to keep security as an important part of the process, she says.