glasshouse security

Just back from a very lively and interesting session on security at the Mobility Summit. Wish I had been able to make the whole two days, based on this panel, engagingly moderated by Charles Brookson of GSM Association.
This is basically an enterprise event - the panel comprised public research, consultancy, banking and technology vendors. They agreed security is essentially a "people problem" (you can only throw so much tech at it, you can't control behaviour etc) and there were some great anecdotes from the floor e.g 50% of delegates in an IT security class (yes!) responded to a phishing message sent out by their class leader.
But it was a bit ironic that a delegate from a major international mobile operator should ask "what can operators do to help manage security"
Try not tapping or hacking their own users?
To be fair, when I put this to the panel at the end of the session, they were very concerned to stress that service providers do everything they can to protect end-users from inside-network dirty dealings. Today's panel was, as the moderator pointed out "about revenue risks to organisations" first. But as David Lacey said it's a big problem with "no solution."