People are in many ways nothing more than another operating system. Just like any computer or mobile device, people store, process and transfer information. Just like any computer or mobile device, people are an end point that cyber attackers are aggressively attacking. Unlike computers or mobile devices, the HumanOS remains highly vulnerable with organizations doing little to secure it.
This really hit home for me when I was giving a short class last night. Think of it this way. Right now on your network most systems are secure by default, they have firewalls, minimized services, anti-virus, memory randomization, etc. At the same time you have this system called the HumanOS. This system is in many ways is just as insecure as WindowsNT was ten years ago. If your organization was filled with highly vulnerable NT systems, you would be focusing on them first as they are your weakest link.
As long as we continue to focus on just technology and ignore the human element, bad guys will continue to have it easy. If your CISO/CIO is not understanding the need for securing the human, perhaps this analogy will speak in their more technical terms.