A new item at Silicon.com included the following quote: "'Companies must make strong and effective security practices part of their culture through awareness, education and accountability,' says Jan Babiak, head of the information security practice at Ernst & Young. 'This needs to be enforced by the CEO and the board, with organisations aspiring to implement well designed controls and fostering a security-conscious culture led from above. Without this top-down endorsement, employees will often ignore controls or worse avoid them, placing the entire enterprise at great risk.'" We'd certainly support the need for senior management's proactive support but there's rather more to the issue than that.
Take security policies for example. Policies without a management mandate are practically worthless. Policies with a clear mandate are fine, but are not in themselves effective. Policies with a clear mandate, a communications program to make sure people are aware of and understand their obligations towards the policies are an improvement ... but even that is not enough. People need to be led the extra mile to commit to the policies and, in time, adapt their behaviors to fall into line with the policies. Compliance activities can help but (yes, you guessed it) are not necessarily The Answer either - "comply or else" expletives from management can cause enormous damage to the changes necessary to achieve positive cultural shifts.
In a truly security-aware culture, people comply with security policies not so much because someone tells them to do so, but because they genuinely appreciate the need, just like an experienced driver instinctively uses mirror-signal-manouver whereas a learner driver consciously mutters the reminder under their breath. Get the security habit through awareness, training and education - but make sure your management get in the habit too. Awareness really does start at the top.
White paper on the value of security awareness