Social Engineering is all about hacking people. Not in the Frankenstein sense but in the Kevin Mitnick, manipulating, sense.  It's about using people in ways that they shouldn't be used, to your benefit.

 The reason why social engineering is important is because it is commonly understood that people are the weakest link in security.  The reason for this is simple, people generally like to help others and people generally trust others. 

The fact that people are so trustworthy is a good thing in a societal sense. It helps us act as better people in our community. On the other hand, from a business risk management perspective, it is not so good. The reason for this is that if your trust in people makes you susceptible to manipulation then that is a risk to the company and its information assets.

As (real life) examples; do you think that I could call a secretary in your organization and get a full staff contact list? Do you think that I could walk into your secure facility and put a device on your network? Do you think your users would follow detailed instructions sent to them via email on how to subvert your system protections? Well, unfortunately, I probably can unless you have trained your staff properly and put the proper procedures in place to help people make the right decisions. 

Performing social engineering is not always a comfortable thing to do. People are much more sensitive about being tested than a server! It is, however, the  only accurate way to test how your people will act under these circumstances. Social Engineering testing will uncover where you need to spend your time and money in security training or other protections.

When procuring social engineering the important thing is to make sure that you have good ground rules set up before hand. What is off limits? What are the goals? When will the testing take place? Also, it is important to make sure that there is a plan in place to deal with a situation where the tester gets caught doing the testing. Who can the tester have your security department call for verification of the test?