I wanted to add a couple more, however.
8. Economics. Let’s face it. Security costs money and time for a company, and unless there is regulatory or economic reasons (or surplus budget!), a company really won’t spend more money on the security. Companies are economics entities and as such work to maximize their profits. Some people don’t like to talk about that, but that’s reality. And this works not just on a macroscopic level with budgets, but also on a microscopic level: do your IT techs prioritize security projects behind business-facing projects and fires? Yes, they do. Doh!
9. Technical gulf from the trenches to the upper offices. When a CISO proclaims his company secure, most of us snicker a bit and throw back another shot of JD. When a CISO proclaims his company is in compliance and has a strong security process, do you really think he knows what the hell he is talking about? Or is he just playing salesman-lipservice and really has no clue if the company geeks really are making things secure? Often I wonder about that gulf between the techs and the upper offices and which reality each is living in day to day. Some CISOs Get It and know their environment, but I think those with a Clue are still in a huge minority (not necessarily because they’re not technically proficient, but simply because sometimes they are just too removed from the day-to-day).
9.5 Likewise, does your audit/security team have the skills necessary to tell the difference between secure and insecure, or are they just going over a checklist and then going to lunch? Technical expertise in regards to security is spotty in the technical ranks, especially on a broad level. I believe that more efforts in user education should be pointed towards technical staff (security and general IT) and not towards general employees.