Training Users and Administrators
I've run into administrators in numerous organizations who claim, "Security is not my problemit's the problem of the security folks." As silly as this statement might sound, many old-school system and network administrators foolishly subscribe to this philosophy. This is not an easy challenge to overcome, but one you must work with, or around, to be successful. Put frankly, security is everyone's responsibility...and everyone's problem. It only takes one vulnerability, one weak link, to break the entire chain.
Unfortunately, getting this message into everyone's head is easier said then done. However, there are a few things that can help the cause:
Make sure that the general security policies (like AUPs) are distributed to all employees.
Embark on an awareness campaign. This will help to ensure that the general user population understands the threats, as well as help to reaffirm that there is an information security effort within the organization.
Identify an executive sponsor who is willing to publish memos to the rest of the company stressing the importance of strong security practices. Again, if it doesn't come from the top, it's hard to enforce.
Build responsibility matrices that clearly identify specific security responsibilities within the organization. With management backing, this can be used to drive home the point that security is everyone's duty.