I've watched a lot of hacker-conference videos recently, and several of them have made a strong impression. I feel that these two together excellently demonstrate current challenges in offensive/defensive IT Security.
Rather than waffle on too much about them I thought I would post links to them together here with a brief introduction.
If you work in IT Security I would suggest it is worth spending a couple of hours to watch these. Take a look.
First the how
Basically, the easiest way to attack most companies is by using social engineering techniques using email and web.
Dave Kennedy (Rel1k) demonstrates how to use the Social Engineering Toolkit
(The back-doored keyboard is interesting, but not so ubiquitous as attacks based around "click here" or "open attachment").
Anyway, it looks to me that employee IT Security training programs are probably the best solution to some of these issues.
Then the why
A good exploration of the economic motivations for cybercrime from Beau Woods.
Several really interesting points here, especially around; the motivations of attackers, the "we're outnumbered" situation, and how the market economy drives business to choose cheap solutions to meet regulatory requirements so that they can continue to do business.
In terms of solutions to the "why" I'm not sure that more regulation will really help improve IT Security budgets over the next few years, nor will it deliver real value. (If more solutions are mandated, this will drive down the budget for each solution to the cheapest - and probably worst.)