In \u201cFive Mistakes IT Groups Make When Training End-Users\u201d, Beth Stackpole highlighted several errors that lead to ineffective or failed training initiatives.\u00a0These issues include a lack of planning and incomplete knowledge of the business and its people.\u00a0While the symptoms vary, the underlying problem that unifies these issues is a lack of attention to business requirements.\u00a0This blog post discusses the importance of applying business requirements to the formulation of a training strategy.Understand the Business NeedsIn "Essential Factors for Successful Software Security Awareness Training", Kenneth R. Vank Wyk and John Steven stressed that "training must be customized to reflect the organization\u2019s platforms, technology paradigms, languages, and packages. An organization might have lines of business that evolve in profoundly different environments."\u00a0 The work and knowledge of business analysts can be leveraged to understand the organization's needs.\u00a0 The business analysts will also help communicate the context for these requirements.\u00a0 According to Geri Winters of Wyyzzk, Inc, requirements lose their relevance when taken out of the context they address.Design to the Business CultureWe are social creatures.\u00a0 As a result, an group organized for a specific purpose will evolve a culture.\u00a0 This culture will influence the processes employed by the organization, its politics, and the way assets are managed.\u00a0 In "What Every Security Executive Should Know about Corporate Culture", Mario Moussa states that "Culture is a key reason why implementations of new initiatives often fail. A UK study in 1997 found that 33 percent of companies failed to achieve their objectives, and another study found that 50 percent of all corporate initiatives become bogged down because people stop paying attention to them."\u00a0 Business analysts are invaluable in discerning the elements of corporate culture that will shape both security awareness training but also role-specific security training.\u00a0 This cultural assessment will help scope training appropriately at the start and customize training to the audience.Inculcate a Security MindsetYou've leveraged the work of analysts who are familiar with the organization and created a customized training curriculum.\u00a0 The stakeholders embrace the relevance of security training to their performance.\u00a0 Your job is done, right?\u00a0 Not so!\u00a0 As the organization evolves, so will its culture.\u00a0 The existing curricula will eventually lose relevance.\u00a0 The curricula must be continuously revised to reflect not only the changes in the organization but also\u00a0the changing threat landscape.You must help the organization understand the value proposition associated with a security-mindset.\u00a0 The organization must embrace security as a business enabler.\u00a0 This paradigm will improve the odds that security will remain a property of the evolving culture.