• United States



Requirements-driven information security training

Apr 20, 20093 mins
Business ContinuityData and Information SecurityIdentity Management Solutions

In “Five Mistakes IT Groups Make When Training End-Users”, Beth Stackpole highlighted several errors that lead to ineffective or failed training initiatives. These issues include a lack of planning and incomplete knowledge of the business and its people. While the symptoms vary, the underlying problem that unifies these issues is a lack of attention to business requirements. This blog post discusses the importance of applying business requirements to the formulation of a training strategy.

Understand the Business Needs

In “Essential Factors for Successful Software Security Awareness Training“, Kenneth R. Vank Wyk and John Steven stressed that “training must be customized to reflect the organization’s platforms, technology paradigms, languages, and packages. An organization might have lines of business that evolve in profoundly different environments.”  The work and knowledge of business analysts can be leveraged to understand the organization’s needs.  The business analysts will also help communicate the context for these requirements.  According to Geri Winters of Wyyzzk, Inc, requirements lose their relevance when taken out of the context they address.

Design to the Business Culture

We are social creatures.  As a result, an group organized for a specific purpose will evolve a culture.  This culture will influence the processes employed by the organization, its politics, and the way assets are managed.  In “What Every Security Executive Should Know about Corporate Culture“, Mario Moussa states that “Culture is a key reason why implementations of new initiatives often fail. A UK study in 1997 found that 33 percent of companies failed to achieve their objectives, and another study found that 50 percent of all corporate initiatives become bogged down because people stop paying attention to them.”  Business analysts are invaluable in discerning the elements of corporate culture that will shape both security awareness training but also role-specific security training.  This cultural assessment will help scope training appropriately at the start and customize training to the audience.

Inculcate a Security Mindset

You’ve leveraged the work of analysts who are familiar with the organization and created a customized training curriculum.  The stakeholders embrace the relevance of security training to their performance.  Your job is done, right?  Not so!  As the organization evolves, so will its culture.  The existing curricula will eventually lose relevance.  The curricula must be continuously revised to reflect not only the changes in the organization but also the changing threat landscape.

You must help the organization understand the value proposition associated with a security-mindset.  The organization must embrace security as a business enabler.  This paradigm will improve the odds that security will remain a property of the evolving culture.


Steven F. Fox provides security guidance to ensure compliance with Federal standards and requirements as a Senior Security Architecture and Engineering Advisor for the IRS. Fox contributes to multiple working groups including the IPv6 transition team, Developer Security Testing workgroup and the Security and Privacy workgroup. He brings a cross-disciplinary perspective to the practice of information security; combining his experience as a security consultant, an IT Auditor and a systems engineer with principles from behavioral/organizational psychology to address security challenges. He is a syndicated blogger covering IT Governance, Risk Management and IT-Business fusion topics. He also volunteers his time to the Ponemon Institute and Security BSides Detroit. Follow him on Twitter - Join his LinkedIn network -