Both tech and non-tech staff understand how important IT security is, and they will happily tell you what they think of your training initiatives if you ask them. Are you ready to hear it? And even if you are, what are you going to do next?
First Published 22nd August 2020 | Latest Refresh 22nd December 2021
Tendai loved completing the company's new cyber security compliance training on his corporate brick.
4 min read | Reflare Research Team
In the previous research articles from our 'Ultimate Guide to Creating and Delivering an IT Security Training Program' report, we have guided you through the planning, selection and execution of a training program.
Below, help you debrief your trainees once their training is complete and ask the right questions to gain the insights needed to iteratively improve the training experience.
It is important that you make sure that trainees feel comfortable answering the following questions truthfully. If required, reassure them that there are no wrong answers, and that contrarian insights are welcomed. Also consider if these questions are better asked one on one or in a team setting, or state that you are collecting their feedback anonymously.
Was the training what you expected it to be? How and how not?
Quite often your trainees will have a finer appreciation for the applicability of the training in their real-life day-to-day workflow. How helpful was this training? What was missing from the curriculum? Was there anything in the program that surprised you for better or worse? Can you give an example of how you will use something you’ve learnt from this training in your job? Do you experience any circumstances where lessons from the training would actually work against the security of the organisation?
Be sure to ask open, explorative questions when the trainees start to disclose what they really think, even if it’s negative feedback. Is this feedback that is the fuel that feeds into your evaluation of what to do differently next time? Without it, you are doomed to repeat the same mistakes you don’t know you made.
What challenges did you face during your training?
This is a great question to help you evaluate if your training was too condensed, or if you incorrectly assumed the trainees had sufficient preconceived knowledge before the training began. If you have recently changed IT security training programs, look to understand what they did or didn’t like from the old training, and benchmark it against their feedback on the new training.
Were these stated challenges just an acceptable level of ‘capability stretch’ that’s needed to develop new skills, or were you asking too much from trainees? What is the tempo and velocity of the training to fast? Were there sufficient opportunities to apply hands-on experience to the learnings in real-time? What would they have preferred to experience to not have these learning challenges?
It is important to be empathetic when receiving this type of feedback. Don’t seem dismissive when you hear it because they had a problem with something that you’ve put a lot of effort into creating. Instead, listen attentively, do not judge, put yourself in their shoes, and seek to understand where they are coming from. Be sure to thank them for their honesty, and confirm that the feedback will not be used against them in any way.
Furthermore, you can build credibility by showing the impact of the feedback as you make changes to future training programs. Make sure you provide a feedback loop back to the trainees, so they can identify the value they have contributed in sharing their experiences with you.
How closely did the training match your daily workflow?
So many training solutions deliver ‘out of the box’ lessons that are completely devoid of the trainee’s workflow. Use this opportunity to really understand which components of your training delivered a meaningful impact on the day-to-day activities of your staff.
Training without applicability or context delivers low trainee engagement, zero knowledge retention, and no behavioural change (not to mention the lost productivity and a waste of your budget). Suppose you find that trainee feedback is reporting high amounts of irrelevant in your training program. In that case, this means that even the training requirements were incorrectly scoped at the beginning of your design process, or you are training the right content to the wrong people.
Misdiagnosis of training objectives can happen, but it is easily avoided when addressed earlier in the training design process, which you can read about here.
One way to mitigate this risk is to ensure that your materials are easily customisable to your trainee’s reality. There are now IT security training solutions that provide efficient and cost-effective ways of customising training content that delivers low-effort / high-value returns.
There are no longer acceptable excuses for getting this wrong twice.
Download: Use this simple-to-use questionnaire to capture trainee feedback which will feed into your next iteration of training design. (pdf)
What would you improve the training?
This is a very open-ended question, but deliberately so.
The people who use your systems and networks day-in / day-out understand every little problem and risk that an adversary could exploit. Listen to them. Learn from them. They can not only give you valuable insight about trends and future training requirements long before leadership learnt about them, but they also can provide you with some brilliant ideas for how to improve the overall training experience.
Cyber security is fluid, and staying on top of all the changes, trends, and emerging threats is not easy. If you listen to your trainees, and independently verify what they are saying is correct, then you will be ahead of the game for the next training cycle.
Furthermore, you can subscribe to the Reflare Research Newsletters, which will periodically update you with the latest trends in IT security training. As an example of this, you can read up on some relevant information on the topic below.