First, let's stop and consider what security is. Dave Aitel's "Why you shouldn't train employees for security awareness" gives the impression that every security measure should be 100 percent effective. Aitel even reinforces that concept in a response to one of the many comments criticizing the article.

In Aitel's own his comment, he notes:

"The only thing you really know about awareness training is that no matter how much you spend on it, one time out of ten it completely fails. The one person you want to be aware is, of course, your CSO, so he can institute security measures that make awareness a non-issue."

But every security measure, technical or otherwise, has and will fail again at some point in time. If you don't realize that, you really suck as a security professional. The definition of "security" is literally "freedom from risk." You will never be free from risk in the real world. What "security" professionals are actually performing is "risk management."

Security professionals are supposed to design and implement security programs that cost effectively mitigate risk. Period. Not completely prevent risk, but mitigate the risk. You will have losses, but your goal is to control the losses in a reasonable manner.