Who is the champion of security at your company?
For many companies the champion of computer security is the IT Administrator. How security focused do you think these companies are? If you are thinking they are probably pretty secure, you would be wrong. When the IT person is nagging people to be more secure how seriously do they take it? If someone gets a virus by clicking a link, are there any repercussions or training? Normally nothing more than a “please be careful and don’t click on odd emails in the future” discussion happens.