Just listened to ep.226 of Defensive Security podcast by @jerry. Good stuff, as always.
I did get a bit disappointed that when discussing "compromised CEO e-mail account sends an e-mail asking to do X", the simple solution of digitally signing an e-mail (GPG/PGP for instance) was not mentioned at all.
If e-mails are signed, and people are trained, you *can* tell the difference between a legit and malicious e-mail coming from the mailbox. Attackers now need to compromise the CEO device itself.