Maksim Kabakou - Fotolia
Security Think Tank: Good training is all about context
In-house or outsourced? What makes a good security training programme, and what questions should buyers ask when procuring training as a service?
Every organisation requires an impactful security training programme that hardwires employees to intuitively perform their roles securely.
No matter how advanced technological solutions become, human error and negligence will always be a prevailing risk that organisations must proactively mitigate. Instilling and sustaining good security behaviour is a fundamental measure to prevent, identify and respond to security incidents caused by “the human factor”.
Whether such a programme should be developed and deployed in-house or outsourced to an external provider depends on the size and maturity of an organisation’s information security function. Even those organisations with the specialist expertise and resources necessary to develop and run a security training programme in-house may turn to training as a service as an input to their programme.
A security training programme should be designed to enable employees to identify cyber threats and report actual or suspected security incidents. It should not be delivered in isolation, but as a holistic programme based on psychological theory, which combines security education, training and awareness (commonly known as SETA) with practical initiatives that guide employees to make the right security decisions.
Developing systems, applications and processes in a way that promotes secure behaviour but does not hinder productivity (e.g. through visual cues or audio prompts) enables employees to proactively apply their learnings from SETA. Importantly, it also reminds them of the options available to them.
When procuring training as a service, buyers need to move away from a compliance-focused mindset to select a solution that is most applicable to the organisation’s specific context. Buyers can only know what solution they need if they understand the factors that are contributing to poor security behaviour.
A preliminary step is to establish the attitude of the workforce to security training (often linked to the corporate culture), the constraints imposed by security that employees dismiss as blockers to doing their job, and their general familiarity with secure practices. This analysis will put buyers in the best position to identify what they actually need in a training programme, so to select the solution that will work best for their organisation.
To be successful, a training programme must resonate with the audience; it must impart the desired knowledge, skills and competencies, and it must be conveyed in a stimulating manner that motivates employees to behave securely. Buyers should therefore consider whether the content is pitched at the right level – can it be tailored to specific roles and responsibilities, and how is that content delivered?
Training programmes need to have a positive impact and enhance an employee’s perception of information security. This generally requires the programme to have some form of interaction with its audience, whether that is through gamification or other means of enforcing engagement with the content, such as short quizzes, friendly competitions or problem-solving tasks.
Whether employees are receptive to training often depends on the style, language, storytelling and narrative adopted by the training programme – does it align with the cultural norms, values and messaging already familiar to employees? Is there the option to deliver the training as a service in an organisation’s own branding or insert personal messages from the organisation’s leadership team to endorse its importance? Security champions can be a useful way of validating the benefit of security training.
Buyers should also consider the format and frequency of training. Many organisations opt for annual training, but small, digestible micro-content is more effective for learning and long-term retention of information, especially given the relentless pace of change. Different learning styles should also be accounted for – this is particularly pertinent in global organisations.
Whether an organisation opts to deliver their security training programme in-house or outsource it, the key point is not to treat it as a tick-box exercise that simply requires budget, but to invest the necessary time and effort to make sure it is the right security training programme. It will only be possible to inspire positive behaviour change if organisations understand what the human mind will positively respond to.