I appreciate training and am always eager to learn something new, but I have yet to settle on a preferred form of instruction. However, there is one that I find particularly challenging, and since I've recently been considering the possibility that the effectiveness of the security training and awareness we provide may vary depending on the mode of delivery, I thought I would write down my thoughts. Here are my personal choices.
Once upon a time I spent a total of 4 hours (over three days) in meetings, stating that I will definitely not approve a security exception. At least, not until someone demonstrates that the exception requested, removes the root cause or is a valid workaround.
I often get into discussions about budgets and how much a company should invest in its security program. There is no easy answer because the problem we are trying to solve has many unknowns.
There are many ways one may address this question, the main one being a rule of thumb.
Some major breaches have seen the light of day lately, and everybody agrees that they will keep coming. I don't believe you will find any security professional respecting himself to tell you that this will stop. The reasons are many, but the most important one is the (lack of) security design. Systems, processes and services have been moving to production without security design for years. And unfortunately in many cases they still do.
In our (security) profession it is becoming common to jump on each other's throat; and the result is the public blaming of the CISO involved - like leaving them alone to take some hard steps in the middle of no man's land.