In “Five Mistakes IT Groups Make When Training End-Users”, Beth Stackpole highlighted several errors that lead to ineffective or failed training initiatives. These issues include a lack of planning and incomplete knowledge of the business and its people. While the symptoms vary, the underlying problem that unifies these issues is a lack of attention to business requirements. This blog post discusses the importance of applying business requirements to the formulation of a training strategy.Understand the Business NeedsIn “Essential Factors for Successful Software Security Awareness Training“, Kenneth R. Vank Wyk and John Steven stressed that “training must be customized to reflect the organization’s platforms, technology paradigms, languages, and packages. An organization might have lines of business that evolve in profoundly different environments.” The work and knowledge of business analysts can be leveraged to understand the organization’s needs. The business analysts will also help communicate the context for these requirements. According to Geri Winters of Wyyzzk, Inc, requirements lose their relevance when taken out of the context they address.Design to the Business Culture We are social creatures. As a result, an group organized for a specific purpose will evolve a culture. This culture will influence the processes employed by the organization, its politics, and the way assets are managed. In “What Every Security Executive Should Know about Corporate Culture“, Mario Moussa states that “Culture is a key reason why implementations of new initiatives often fail. A UK study in 1997 found that 33 percent of companies failed to achieve their objectives, and another study found that 50 percent of all corporate initiatives become bogged down because people stop paying attention to them.” Business analysts are invaluable in discerning the elements of corporate culture that will shape both security awareness training but also role-specific security training. This cultural assessment will help scope training appropriately at the start and customize training to the audience.Inculcate a Security Mindset You’ve leveraged the work of analysts who are familiar with the organization and created a customized training curriculum. The stakeholders embrace the relevance of security training to their performance. Your job is done, right? Not so! As the organization evolves, so will its culture. The existing curricula will eventually lose relevance. The curricula must be continuously revised to reflect not only the changes in the organization but also the changing threat landscape.You must help the organization understand the value proposition associated with a security-mindset. The organization must embrace security as a business enabler. This paradigm will improve the odds that security will remain a property of the evolving culture. Related content opinion Positioning the Security Team Through Influence Part 1 Influence styles are a reflection of the influencers and, by extension, their team. Thus, they must understand the situations to which different styles are applicable. This series explores the common influence styles and their application. By Steven Fox Apr 21, 2012 3 mins Technology Industry IT Jobs opinion From Obstacle to Ally - Repositioning the Security Team Pt 1 By Steven Fox Apr 08, 2012 3 mins Technology Industry IT Strategy opinion Key Sessions at CISO Executive Summit 2011 By Steven Fox Dec 03, 2011 3 mins Business Continuity Data and Information Security Careers opinion Securing User Credentials On Mobile Devices By Steven Fox Nov 15, 2011 4 mins Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe