tag:blogger.com,1999:blog-2397196717839865841.post6427134842514179130..comments2010-05-22T23:23:14.870+10:00Matthew Hacklinghttp://www.blogger.com/profile/12211732838162218259noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-2397196717839865841.post-20658223615150772192010-05-22T23:23:14.860+10:002010-05-22T23:23:14.860+10:00I had touched on this in an OWASP talk. In short, developer training works, user training doesn&#39;t. Not that it shouldn&#39;t be done but I wouldn&#39;t invest a huge chunk of time.<br /><br />There&#39;s a lot of stuff out there in terms of scoring visible impressions on the board - I defer to stuff like the Pragmatic EA ( see <a href="http://www.enterprisearchitectureblog.com/labels/Enterprise%20Architecture%20program%20credibility.html" rel="nofollow">here</a>). EAs have been at this for longer, or at least better experience than most security architects IMHO.<br /><br />Long term, these will add value but in essence, good architects and managers need to chalk up runs on the board and quickly to establish credibility and value otherwise they risk being seen as ineffectual and running things from their &quot;ivory towers&quot;.<br /><br />Taking your example, why not take a few of your suggestions that can be done quickly and generate rapid results within the first 30 days? There was an article in CIO magazine ages back that suggested that effective leaders at that level need to have an action plan for generating results fast. Security leaders likewise need to do the same.Jarrodhttp://www.blogger.com/profile/09705073585945953338noreply@blogger.comtag:blogger.com,1999:blog-2397196717839865841.post-29645714685313158082010-05-20T22:14:34.882+10:002010-05-20T22:14:34.882+10:00Is there evidence that we could use to compare the effectiveness of security awareness training to other mitigations? Is security awareness training objectively the &quot;best bang for the buck&quot;?mcwhttp://mark.c.wallace.pip.verisignlabs.com/noreply@blogger.com