Burgess: I'd like to say yes, but as I just said, attempting to select-out for training only those who you believe are in positions of interest to an adversary is fallacy. That is not to say that those in highly sensitive positions, i.e., with daily access to a company's financials or critical IP (think Coca Cola recipe) should not be afforded additional training and undergo more stringent security reviews on an aperiodic schedule. They absolutely should.

Sadly, we are repeatedly shown that safety, security and cyber-security training are not being provided in a robust and uniformed manner. Let's take for example the findings of the Price Waterhouse Coopers survey of the financial industry conducted a few months back (Cybercrime: protecting against the growing threat -- Global Economic Crime Survey, November 2011). This global survey showed two in five -- about 40 percent had not received any cyber security training; that those companies with the best security posture were those who had the CEO invested and leading and top-down training (i.e. CEO is included). There is still much work to do in this arena.

[]

Power: Any shift in emphasis that would imply potential targets is taking this particular threat more seriously?

Burgess: Clearly those in the security industry have seen members of their industry family take a few body blows as their source code or other crown jewels go missing. The security industry always knew (or should have) they were the prime targets; now they have validation that the size of the bulls-eye they are wearing is substantial.