I agree, training is an important part of the security mix. However, I’ve seen the counter argument that general awareness training is largely ineffective but enables organisations to tick the ‘train employees’ compliance box. Training has to be relevant and engaging to the employee being trained…:
According to the Financial Services Information Sharing and Analysis Center (FS-ISAC) 2018 CISO Cybersecurity Trends report, 35% of CISOs surveyed said that employee training is a top priority for improving security posture in the financial sector (respondents were all FS-ISAC members). Infrastructure upgrades and network defense were prioritized by 25% of CISOs, and breach prevention was the main thrust for 17%.