Glaring omission
Ok, so, security is hard because it has this reputation for being cumbersome and hopelessly in the way. Stands to reason because it's long been just shoveled in and indeed, been hopelessly in the way. Essentially, that's attempting to secure things by unspecific blanket because the techies already know there's sensitive data in them thar servers and let's not lose it, hmkay. So why not start there? Actually, there's an even better place to start.
That is to sit down and do a bit of DR Q&A*. Things like "what would happen if $info got copied and sold to the highest bidding competition?" What really are the most important assets that you don't want to lose, don't want to see others hare off with? That's a wonderful focus on securing right there. You'll get a much better response if people know when to care and when they're allowed to slack off a little. Much less tiring that way.
Then get down to practicalities. And I don't mean so much to map who can have what access. While a good idea in theory, it moves too fast in practice to set in stone. And it's the disconnect between what security forces people to do and their expectation of being able to get their work done that is where it bites.
So things like easy handing out of access to those that need it are pretty important. The rub lies in making sure that the ability to map access matches the burden of responsibility. If bosses want do do stupid things, well, that's up to them. Just make sure it's documented who did it. Make it easy to hand out, and natural to take back, and not just upon termination. Make sure that people that do the handing out of access understand what it means and that it's their rep on the line in trusting whomever they're handing the access to. Make sure the ability to do it, the understanding of the implications, and the responsibility for it all coincide.
Then work hard to integrate security to be a natural part of the workflow. About as much effort as unlocking a door, going through, and locking it again, is reasonable for most casual use. Some things need to be streamlined, other things might be justified in being more trouble. There, too, careful arrangement can make a lot of difference.
Now look at what sort of hoops traditional IT "securing" expects people to jump through. That gap, right there, is the chasm to overcome. All the rest is fluff, bells and whistles, nice ideas but not enough. Understand just what it is you're trying to secure first, and that really isn't a technical thing.
* For the rest of us: Play what if... with various disastrous things and what that'd do to the company. That sort of thing you need to know anyway, might as well exploit it for security streamlining and saving some costs by not securing that which doesn't need securing.