Knowledge is Half the Battle! CBS...NBC? ABC? has it right! (If that's the phrase...I forget.) User awareness can not be supplanted by certification, tokens, digital signature verification authorities, or any other contraption spewed from the mind of us 'experts'. The human is always the vulnerable link in security.

Oh, technology can help, but I have a stack of RSA SecurID pin-pad token cards to demonstrate otherwise (the client insisted that these were the only acceptable form...the Fob tokens meant the PIN was sent as part of the passcode, so anyone who could view/sniff/decrypt the traffic could learn the PIN) I kept this stack specifically becuase each one shows how a user wrote the PIN on the token with permanent marker, or tape it on, or anything else. The client had gone to the considerable expense of purchasing these things for a community of 15,000+ users, and prepared an informative user awareness packet, and these folks STILL did this, because they simply didn't get it. It's human nature.

And that point is a significant one. If you want to pursue I.S. as a career, and you want to do more than run ping sweeps, vulnerability assesments, and log reviews, you probably are gonna need some people-skills to work with the 'uninformed'. If you want to be successful and go far, you'll need to deal with these folks graciously. Fortune 500 companies do not pay for Security Analysts, Engineers, or Managers that display an attitude of contempt for users and their practices.