I am in the process of preparing for a company meeting. I am not big on formal meetings so it is rare when I call one. The purpose of this one is to communicate what our company is doing and where we are going. I think with many companies people are so involved in their part of the business they never see the bigger picture and what the purpose of their part of the business is. They are so busy rowing the boat they never stop to ask, hey where are we going?
The same is true in most companies when it comes to security. Companies never communicate to their teams why these controls are put into place. And what is the result? Less security than before the control was put into place. Why? Because if people don't understand the why, see where the ship is headed then they don't ever buy into it. They are never fully on board. Therefore, they fight the security measures that are put into place. They tape encryption keys to laptops and leave the password device on the desk.
Additionally valuable work time is wasted as employees complain to each other they can't access Facebook and Twitter. If the company would just stop and educate the employees on the why and not just the what I believe this would lead to a fundamental shift in how employees react to security measures. They not only would participate in the measures they would self police and make sure all the co-workers around them were participating as well.