Quoting Ben Bargabus (ben_b at ppdonline.com):
> none of these people will dump their Windows environments because it's
> "unsafe", they'll expect you to make it safe.  these are financial
> people and are generally uncomfortable with change.). 

I'll speak up here. 

<soapbox>
First, the only safe environment is your mother womb :-P Ok, the only safe
network/computer/etc is one without any users. This is the first thing most
security people will tell you.

Since you gotta have users, then it because risk management. I know this sounds
like splitting hairs, but keeping management (or the financial people in your
case) happy you need to manage expectations. IF management thinks a security
consultant will walk out and their network is "safe" "forever". That is a bad
thing.

** IN GENERAL ** I've found (and most people on this list) that Linux exposes
you and your company to LESS risks (more secure environment).

Second, ** generally ** more security means so sort of change. If your users
won't/aren't willing to make some changes, then you'll never be able to have a
"safe" environment.

Simple example. Mandatory password aging. Every 30 days you expire all passwords
and force the user to choose a new, non-dictionary, not-used-before password.
Gonna have a change, every 30 days.
</soapbox>

-- 
Bob Tanner <tanner at real-time.com>         | Phone : (952)943-8700
http://www.mn-linux.org, Minnesota, Linux | Fax   : (952)943-8500
http://www.tcwug.org, Minnesota, Wireless | Coding isn't a crime. 
Fingerprint: 02E0 2734 A1A1 DBA1 0E15  623D 0036 7327 93D9 7DA3