Troy Jessup has a good post over on The Security Blog. In it, he talks about the need for upper management to understand the issues which drive network security and some of the shortcomings which damage security (can you say "personal business").
I heartily agree with him and will throw in my own comments here...
Many upper management types are worried that "we'll be seen as network Nazi's". Personally, I don't care of your opinion of me if the network is running properly. If the security model (based on the business model) requires that I flog every dolt who thinks the rules don't apply to them, so be it. Call me all the names you want. I plan on going home at the end of the work day.
Also, and this might sound contrary to the above, you have to have realistic and enforceable rules. Anything else breeds contempt and circumvention of the rules. The end-user also has to understand the reason for each of the rules. This requires user training and user agreements.