I hope I'm not repeating what someone else has already said in this thread...

Consider spending some time looking into the psychology of security.

The simplest example of this is those spoofed e-mails that appear to come from microsoft, e-bay, and others telling you that you need to update your personal information, install the "patch" attached to the message, or whatever. I am amazed at how many intelligent people fall for this -- intelligent people who KNOW not to open unexpected attachments. The reason they fall for it is that the person who created the e-mail knew how to push the right buttons. It is natural to panic when you see a legitimate looking e-mail telling you about your recent $500 purchase at amazon that you didn't make.

Another example of the psychology angle is when people call in and purport to be someone they aren't and either harass or sweet talk the callee into giving out crucial information that enables the attacker to get at what they want. Our help desk receives calls regularly where the caller claims to be someone they aren't to get a password or other information. At a bank I worked for many years ago, we would receive several calls a week from people claiming to have "forgotten" their PIN and wanted us to give them the PIN over the phone and the only information they had was the card number from the ATM card. That and they called the computer center for the PIN rather than the bank. Again, you may not fall for it, but you would be surprised at how many intelligent people will.

I don't care how good the tech side of your security is, if people at your org don't understand the human side of it, a moderately determined attacker, with the right type of people skills, can get through the technology.

--FZ