"The real problem [in IT security] is that organizations are not addressing basic, underlying vulnerabilities," he said at RSA Europe 2010 in London.
"Many businesses hate compliance, but like it or not, compliance is their friend," he said.
Winkler, who is president of the Internet Security Advisors Group (ISAG), said many organizations still regard security as optional.
"But the reason car makers include air bags and anti-locking breaks is because it is required by law," he said.
For many organizations, it will take increasing legislation before they will information security seriously, said Winkler.
"Some organizations will dismiss people for viewing pornography at work, but take little action against employees responsible for data breaches," he said.
According to Winkler, laws that seek to regulate processes can only be a good thing, such as a law that requires businesses to implement patches within a set time limit.
"Such a law, could for example, require critical patches should be implemented within a week of release," he said.
This story was first published by Computer Weekly