“We have a lot to learn there,” said Schmidt, founder and CEO at security consulting firm JAS Global Advisors LLC. “Employees need to be trained to feel like they have a stake in maintaining the security of their organizations. They can’t act like they are protected by what can seem like a gigantic security apparatus.”

Schmidt was talking to me about what security experts saw in 2011 that was new or different, and about the threats most likely to plague CIOs this year. He works with a lot of government agencies and Fortune 100 companies in risk-prone industries like defense and energy. While intentional insider threats are “as old as the hills,” in his view it’s the unintentional security threats — those regular old phishing attacks coupled with human error — that pose the clear and present danger. Attacks like the single email attachment, for example, that was crafted to trick the HR department at RSA — a security firm! — and that in a flash compromised millions of the world’s most trusted identification tokens.

His message to CIOs: Educate, educate, educate employees, and make them part of the security team — or ships will sink.

Of course, there’s a problem there with that team mentality, as anyone knows who is witness to, say, the current state of politics or to the economic pain heaped on many Americans in recent years or — and here we’re going out on a limb — who has embraced social networking heart and soul. For employees threatened by layoffs, what motive is there to pitch in to prevent the ship from sinking if their part of the ship has already sunk? (In fact, companies have seen insider theft rise, said Schmidt, even among longtime, trusted employees. “Desperation is a powerful driver,” he notes.) Then there is the generation reared on free digital file-sharing, free encyclopedias and the habit of sharing — with everybody. How can CIOs drive home the notion that company data is precious when information has been so devalued and a company’s insiders feel like outsiders?

“For me, security and risk management is a mind-set. When I go into a restaurant with my wife and kids, I automatically see where the exits are,” says Whiteside. And how the waitress handles the credit card. How far the credit card machine is to another table. The location of the security cameras, the station of the guard.

“I am always thinking about the security scenario, not to take advantage of it, but to be aware,” Whiteside says.

Whiteside is chief information security officer for Visiting Nurse Service of New York (VNSNY), the country’s largest not-for-profit home health care provider. Some 130,000 patient medical records and pieces of credit card data fall under VNSNY’s watch. The organization must comply with the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard and the Sarbanes-Oxley Act (SOX).

Whiteside practices what is called a risk management approach to security compliance. I interviewed him this week for a story I’m doing on the topic. While his organization has many regulatory obligations, “the way I approach compliance is through risk. We do not focus on just ensuring we are compliant,” Whiteside says, stating the first principle of risk-based management to information security.

“When I look at new applications or systems or architectures, I am looking at the risks to our business and the risk to our information. Those are the things that are important, not does it meet a line item associated with HIPAA and SOX,” Whiteside says.

A risk management mind-set is always looking for patterns — not items on a regulatory checklist — that pose a threat to the asset one is responsible for protecting. So when somebody comes to him with a security problem, even if he knows nothing about the particular system or application, he can formulate a set of questions.

Incidentally, most CISOs live in a security mind-set, he says, whether they’re hard-core techies or recruits from the business side. “The methodology they follow by day at work is the methodology they live outside of work,” he says. At conferences, when CISOs unwind afterward with a drink, they invariably play a Where’s Waldo? version of security gaffes, competing to see who can spot the most security lapses. “It’s kind of weird if you are outside the circle.”

The mind-set can have its limitations, as in “If you are a hammer, the whole world looks like a nail,” adage.

Indeed, when he is taken by surprise, it is typically by something that happens on the business side.

“You can’t believe that business would make that decision. You have that mind-set and forget people don’t think that way,” says Whiteside, who nonetheless never forgets what needs to happen next.

“But the fact is they went down that path, and you have to make it right. CISOs are support personnel. That is the reality. We are on the same side of the business as the help desk, and that is all we are. Until it can be determined how a CISO can make the company money, we will always be there to support.”