"... security needs to be a mix of people, process and technology. The best security comes from having well-trained and motivated staff, who will not click on dodgy e-mail attachments, and will not be lured into spyware-infected websites. And like every other aspect of the security jigsaw, security training and awareness is not a one-off exercise. It needs to be a continuous programme of education, incentive and information."
The fact that IT systems and networks are misconfigured by people surely implies that security awareness programs need to include IT professionals?
More on network security and security awareness