"The real problem [in IT security] is that organisations are not addressing basic, underlying vulnerabilties," he said at RSA Europe 2010 in London.
"Many businesses hate compliance, but like it or not, compliance is their friend", he said.
Winkler, who is president of the Internet Security Advisors Group (ISAG), said many organisations still regard security as optional.
"But the reason car makers include air bags and anti-locking breaks is because it is required by law", he said.
For many organisations, it will take increasing legislation before they will information security seriously, said Winkler.
"Some organisations will dismiss people for viewing pornography at work, but take little action against employees responsible for data breaches", he said.
According to Winkler, laws that seek to regulate processes can only be a good thing, such as a law that requires businesses to implement patches within a set time limit.
"Such a law, could for example, require critical patches should be implemented within a week of release," he said.