As this year has gone by, one thing has become pretty solidified in my mind: training for security and IT/developers is necessary. I’d rather have training for them than for users in general. Not all security measures can be adopted in every organization, so not just technical training, but training to be aware of the risks and how they affect the business needs. For instance I can see some organizations thriving while users run as local admins. Why? Because the risks are known and dealt with in other, often-times more creative ways. And yes, this may incorporate user awareness training. I’m not against user awareness, I just put it lower on the priority list.
If you can’t build things securely, or secure them accurately and quickly, then business needs will almost always win over security. From tasks to projects to software.
One might think training should be for manager levels as well. But I would counter that managers can learn a hell of a lot from their employees, with good, trusting communication.