Physically, the facilities are better fortified as well. Ross recalls that recently "an aggressive person" whom Austin Recovery had fired was threatening to come back. The IT manager locked down the front door, which automatically required employees to swipe their badge cards to get in and other visitors to use the outside intercom. The threat turned out to be empty, Ross says, but he felt better able to protect employees and patients because of the new technology.

"It's not keeping clients in, but keeping unauthorized people out," he says.

Getting employees to use the new technology and adhere to new processes can be a slog, Assante says. Work habits are ingrained and even blending the two cultures of physical and information security staffs can be challenging, he says. CIOs and other IT leaders should identify as many opportunities as possible for the physical security staff to work alongside the IT counterparts. Assigning a cross-discipline team to conduct an integrated security assessment as "a great starting point," he says.

Retraining employees to change work routines was the more pressing problem for Austin Recovery. Ross approached the change in simple phases, first requiring employees to wear coded name badges, then setting new rules for who could use which doors when. In e-mail and frequent meetings, managers spelled out why the new policies are important -- safety, less risk, better compliance with regulations - and repeated many times that employees must comply.