Based on “Kevin Mitnic” suggestion about security that comes from technology, training and policy, Iran cannot be considered a successful country in overall security concepts. On the other hand, there are many rumors and sayings about Iranian cyber security defense forces that would ignore the “Kevin Mitnic” theory.
About Technology aspects in Iran, it is fair to say that because of many sanctions and access restrictions of other countries against Iran, they are not able to use some technologies or services related to them. Another point to mention is that the new technologies are often not cheap and many businesses or individuals would not go after them and prefer to have less security rather than spending more for security that is something everyone know how serious it is but nobody pays attention to it unless an incident happens to them. One of the issues related to this matter is using old firewalls instead of NG firewalls that require annually licenses and another most common issue is using cracks and keygen for using different software, operating system, hypervisor, etc.
For training aspects, there are many training sources and institutions but they do not cover every subject. If someone is seeking network courses, it would be no problem at all but if someone is seeking security or cloud courses, he/she should most probably go after self-studying. Another important matter is having trainings or even training opportunities on entering a new company or a new job that is not happening in most cases in Iran. Since there are not so many security engineers in compare to other IT related engineers/specialists, security trainings and awareness is not done so well so far.
About policy aspects, businesses often want to have restricted rules for their employees but this does not mean that they have a certain procedure or roadmap in mind. For example, many companies block USB port access for their staff in order not to copy any confidential document but on the other hand the employees have unmonitored internet access! This shows that many businesses do not understand or care about setting policies with proper requirements and procedures.
Considering “Kevin Mitnic” theory about overall security situation it is fair to say that it is quite accurate. At last, all the mentioned examples and information is about many businesses and individuals but not all of them. There are also well-structed businesses and organizations that follow updated technologies, trainings and best frameworks for their policies.