Maksim Kabakou - Fotolia
Security Think Tank: How to build a human firewall
In-house or outsourced? What makes a good security training programme, and what questions should buyers ask when procuring training as a service?
The human firewall is a critical element in the ongoing – and many would say escalating – fight against cyber criminals. Building one is dependent on several elements, but it starts with a robust programme for IT security awareness training.
The programme needs to be comprehensive enough to fit the organisation so that, as well as basic cyber training, it includes modules such as data privacy or mobile device security if these are relevant. It also needs to be right for the industry – financial institutions face different risks to manufacturing companies, for example.
In addition, it should be as realistic as possible, focusing on the actual threats faced by the organisation, while avoiding getting in the way of people undertaking their day-to-day activities.
And, to be effective, training has to be inclusive and accessible for everyone within the enterprise, with different delivery channels adopted, ideally including computer-based training modules and “roadshows”, in which the team goes to different locations to engage with people in-person.
Achieving high levels of security awareness requires training to be continuous, rather than take place as periods of finite activity. This necessitates commitment and belief – companies that see training as a checklist or compliance requirement are unlikely to operate successful programmes.
The aim is to create an environment in which individuals feel safe and are encouraged to raise problems and voice new ideas early on, with the end result that their organisation is more secure.
Traits of a good security training programme
Before looking at whether their training requirements should be outsourced to a specialist provider or carried out in-house, organisations need to be clear about what a good training programme looks like.
People are the lynchpin. They drive training, which is created around their needs. The best benchmark of a good programme is employee engagement, along with the contribution the training makes to ensuring that a robust security culture exists within the organisation.
Indicators can include the way employees interact with training activities – what are the completion rates for the various modules, for example, and do users undertake training in good time or leave it until the last minute? These details can point to the quality of the training content and how effectively it communicates the importance of the topic.
Monitoring any increases in security-based activities is also a useful guide to trainee buy-in. If the programme content includes measurable calls to action, such as reporting phishing emails, or encouraging users to switch to password managers, it should be noticeable that employees are changing their daily habits to include these.
From a more qualitative perspective, the general stance on security within the organisation should be observed, particularly in terms of whether employees genuinely feel like a valuable part of the defence strategy against cyber attacks or find it a burden. This insight will set the tone of the training which, rather than using excessive scare tactics that can lead to a blame culture, needs to empower people to do the right thing.
To outsource or in-house?
When considering the implementation of a security awareness training programme, the key starting points to determine are the source of the content for the scheme, and who will administer it. Both can be provided in-house, by an outsourced supplier, or through a combination of both.
Managing everything in-house is the most cost and resource-intensive option. It is the best course of action for organisations that require training to be highly customised, with potentially sensitive information included. In return for the full control this type of programme offers, the enterprise needs to commit to up-skilling teams and investing in their technical capabilities, as well as spending a significant amount of time to get the training up and running.
At the other end of the spectrum, outsourcing can offer cost and time savings, although this comes at the expense of the training being less tailored to the specific needs of the enterprise.
There are also options for a hybrid approach. An external, “off-the-peg” training programme could be administered with oversight from internal teams for example. In this scenario, aspects such as the customisation of the content, or the timetable for delivery, is limited to the parameters set by the service provider (sessions will be scheduled depending on the availability of the service and the number of hours contracted, rather than when employees need the training, for example).
Alternatively, an organisation could fully customise the material to be used in the training, but have it delivered by a specialist training company, which would also schedule the sessions.
This illustrates that the question of whether training is carried out in-house or through a third party provider shouldn't be viewed as a binary one – “it depends” is a more useful guide. There is no right or wrong solution; it’s a case of balancing the budget and resource available with the requirements of the organisation, with this often governed by its size.
The lower cost of an entirely outsourced programme may be preferable to smaller enterprises, while larger corporations are more likely to have the capacity for an internal team, which enables them to benefit from an ongoing increase in cyber awareness.
However, even with the latter approach, some level of external expertise is usually required – to generate new ideas for interaction, for example – as well as ensure advances in the training industry are incorporated into programmes.
It’s also worth bearing in mind that engaging an outsourced provider that will tailor campaigns to the specific needs of the organisation allows for the inclusion of value-add services such as cyber threat intelligence, or targeting users of critical applications – elements that can be missed with an entirely in-house team.
An external partner can also often engage multiple parts of the business, bridging the gap between HR, risk management and information security functions to achieve integrations – for example, with identity and access management (IDAM) – that internal programmes cannot.
Training as a service – finding the right provider
Procuring training as a service is no different to buying in any other service from a third party. Buyers need to understand how the provider can meet their organisation’s requirements, and this can be clarified with questions along the following lines:
- Knowledge: Does the supplier have specific knowledge of the industry in which the enterprise operates?
- Customisation: To what extent is the training programme customisable in terms of content, scheduling, frequency, and localisation?
- Service levels: Does the provider offer tiered service levels so that it can be right-sized for the enterprise in question?
- Formats: What training formats are available (in-person, video, slide deck, posters, games, etc), and on what devices can participants access the programme (computer, mobile, tablet)?
- Scope: What is the scope of the service? Does the provider get involved in deciding on the best content for the training? And will they provide the necessary reports if regulations and compliance standards need to be met?
- Account management: In terms of managing the service, will there be a single point of contact between the organisation and the service provider?
- Relevance: How does the supplier keep its training knowledge up-to-date?
A commitment to culture
The ultimate goal of any security awareness training programme is to cultivate a security-based culture within the organisation. Looked at from the other direction, an enterprise that is highly committed to building security into every facet of business life is likely to be running an effective training programme – regardless of whether that is provided in-house or outsourced.