How to Condense Your Cyber Security Training Scope

The range of IT securities capabilities you can train for is limitless, and some domain areas are more valuable than others. Therefore, the right question is not "What training do you want", but "What training is good for you".

First Published 12th October 2020  |  Latest Refresh 6th November 2022

The secret of any training manager achieving true happiness is in defining what is in scope, and more importantly, what is not.

8 min read  |  Reflare Research Team

Nothing Left to Lose

If you have followed the previous articles from our 'Ultimate Guide to Creating and Delivering an IT Security Training Program' report, you will now know who to train, why to train, what to train and how to train. The next step is critical but usually ignored: Reducing everything you have found out to its essentials. Something is ready not when there is nothing left to add, but when there's nothing left to remove. 

This research article will lead you through the process of condensing the scope of your IT security training initiative to make it as impactful and valuable as possible.

The Trap of Overtraining

When talking to trainees about the training they are taking, the number one complaint made is that the training is repetitive, long-winding and unapplicable to their daily work. Chances are that you yourself remember several mandatory training programs that you loathed for just this reason. 

But if everyone agrees that long winding diffuse training is unpleasant, why does it seem to be the norm? It comes down to two factors: Managerial risk hedging and bad procurement practices. 

Managerial Risk Hedging 

While you may or may not hold an official management position, the fact that you are reading these lines indicates that you have been put into a de-facto management role. As such, you need to make a decision on what training to either implement outright or recommend to decision-makers higher up. 

This creates an imbalanced risk surface. Most likely, the corporate structure you operate in has no incentives for providing “lean” training, and has many incentives to ensure you do not 'miss anything'. The (un)spoken assumption is that if two years down the line, a breach happens and its mechanism wasn’t in the training you recommended, you would be blamed. 

This – at its core – is the primary reason for every diffuse, unrelated and longwinded training you have ever participated in. Since there is no negative payoff for selecting too much training and a potential negative payoff for not selecting the right training, many managers opt for a “shotgun approach” to training selection. A bit of everything with a net cast as widely as possible. 

This in turn leads us directly to the next problem:  

Bad Procurement Practices

To prevent waste, nepotism and impulse spending, your procurement department likely has predetermined steps that need to be taken for every purchase. These often include an analysis of the product to purchase when compared to similar products in the market. 

Unfortunately, when it comes to high-tech training like that needed for cyber security, procurement is completely unequipped to actually evaluate the (dis)similarity of products. 

As such, there is a large incentive for vendors to compete in bigger numbers. If vendor A’s product lists its curriculum as 20 lessons and 5 hours while vendor B’s product lists its curriculum as 120 lessons and 70 hours, procurement will be strongly inclined to buy from vendor B. After all, without any further guidelines, the lesson count and duration is all they have to go on, and more is better. 

Where Does This Lead?

You most likely can already guess the answer to this question, but let’s go into detail. 

Vendors who adapt to playing the game of managerial risk hedging and procurement manipulation will list every topic they can think of, while churning out mass-produced content to tick the appropriate checkbox. 

For example, an important topic in information security training for web developers is Cross-Site Scripting. The topic can be abstracted well across languages and will ideally convey the general concept to the trainee. To do so, educational tools like attack simulations and hands-on challenges should be deployed. Comprehensive coverage of Cross-Site scripting should take about an hour, be hands-on and leave the trainee with an abstractable understanding of what the actual issue is. 

But if a vendor optimises for procurement and risk hedging, then the topic will be broadened and watered down. There will now be Cross-Site scripting modules for every programming language. In each of these modules instead of teaching fundamentals or providing hands-on experience, dozens of slides will mundanely go over every function in the programming language that could be used to prevent the attack. Completing the training now costs 20 hours and will leave the trainee with virtually no benefits since they still lack an understanding of the attack and will have forgotten all the function names minutes after hearing them. 

This is Dangerous

It is easy to assume that this sort of mis-selection only leads to annoyed employees and some lost worktime as team members slog through training slides. But the reality is much worse than that. 

These long-winding training programs may check all the boxes, but they provide no actual learning experience to the trainees. Since everything is drawn out and watered down in order to inflate value indicators, the core concepts are never introduced in formats poignant enough to be understood. 

Your organisation now has a false sense of security, thinking that everyone has been trained when nothing about the skill gaps you identified earlier has changed. 

To put a point on it, you must choose: Would you like to actually train your workforce, or would you like to check boxes you can point to when the inevitable breach happens? 

Avoid Watered Down Training

The way to deal with this problem is twofold. First, you need to make the active choice to prioritize good training over box-ticking. This will then allow you to prioritize what is important and select a training solution that fits the needs you identified. 

You then need to provide procurement with a list of specific training parameters that they can test against. The following questionnaire will help you with both. 

Questionnaire Overview 

The answers to the following questions will allow you (and by extension, your organisation) to narrow down and condense the scope of your cyber security training initiative.

What are the main objectives of this training? 

Take some time to mindfully reflect on what the future should look like post successful implementation of the training, and cross-reference this vision with your stated training objectives. Do they align? Does this training lower the specific risks of organisation faces? Is this actual skill development, or are we merely ticking a box to say our people are “compliant”?

Ensure your training curriculum is tight and on point. Anything that is beyond the scope of your clearly defined objectives should be questioned for whether it stays or goes. Remember, more training isn’t necessarily better training. In most circumstances, unnecessary training topics will distract learning capacity away from more critical training topics, therefore damaging the impact you're trying to create.

What are the top five skills trainees must take away? 

List down all the skills that you and your senior stakeholders have identified as required capabilities, and then begin to map those capabilities back to the core skills you’re training for. For example, if one of the requirements is “Cross Site Scripting for PHP, Java, C# and Ruby”, map each of these back to the core domain area that must be covered in your curriculum (in this case, Cross Site Scripting). 

Once you have mapped your requirements back to core skills, now is a good time to loop back to the senior IT professionals in your organisation who truly understand the attack surface your talent is facing, and the capabilities needed to mitigate persistent risks. Share with them your skills list and curriculum and request them to sign off on it as being ‘fit for purpose’. If they are not prepared to sign off on your training curriculum, ask them to be specific in precisely what is required as an output from the training, update your list, and begin the mapping process again.

Remember, your objective here is to increase training curriculum accuracy and relevance to organisational requirements while ensuring unnecessary content is removed from the training program.

The more defined and more refined your training program is, the greater the learning impact will be.

What is the MAXIMUM time the training should take?

There are really two questions here. The first is “how long will this training program take to implement and conclude”, and the second is “how long should trainees take to complete the training”.

Having clearly defined timing constraints on program creation, delivery, reporting and conclusion will ensure that all involved in the next steps can map their contributions to the delivery timeline. If you don’t want procurement to drag their feet on contracting a third-party training partner, tell them when their contribution must be made by. If you don’t want managers extending training deadlines to the staff in perpetuity, tell them when their contribution must be done by. If you don’t want training partners delaying delivery, tell them when their contributions must be completed by. All participants in the process should receive your communications in writing, and confirm they understand the timelines.

Be both unambiguous and realistic with communicating when this program must conclude by. Ensure your delivery partners give you no surprises because they “didn’t know.”

As for your trainees, ensure you connect with workforce managers to gain an understanding of employee capacity for completing your training within their workday. Staff will often resent training requirements must be done after hours, so ensuring that there is a reasonable time allocation within business hours will mitigate any disdain towards your training before they’ve even started.

It is reasonable to ask a trainee to complete their IT security training requirements within two weeks of launch. Be sure to reach out to trainees throughout the two-week process. Set up a schedule of reminder emails to ensure trainees didn’t miss the original training communication and login credentials, and respectfully remind them of the approaching deadline 10 days, 7 days, 3 days, and 1 day before the deadline.

Are prospective trainees already skilled at any of these topics? 

Sometimes training can be wasted. Do you know your trainee's pre-existing knowledge base? Without this, how do you know you are not delivering a program that will be perceived as a waste of time?

Ensure that you are developing actual new skills and capabilities that support the training objectives. There will be circumstances where you need to positively reinforce existing knowledge, and sometimes you may need to present pre-existing knowledge in a more applicable way to drive home the desired change. However, if there is an expectation that trainee behaviour will miraculously transform after you tell them something they already know, you might be in for a bit of a shock.

If you are doubling up on training to pre-existing knowledge without any new intelligence, consider deprioritising these topics for more critical learnings that will yield a higher impact on achieving your training objectives.

Furthermore, you should also review your trainee list to ensure your training efforts are focused on the right individuals.

Download: This simple-to-use questionnaire will help you define and refine the scope of your cyber security training program. (pdf)

How valuable is hands-on experience? 

Knowledge retention rates are significantly higher when trainees get to ‘do’ and not just watch. One of the pitfalls many training designers fall for is overlooking where they can embed hands-on experience into their cyber security training programs.

As we have discussed before, cyber security training is often a ‘stand and deliver’ experience. Whether that is through in-room facilitation or endless PowerPoint slides, training designers often miss key opportunities where they can leverage hands-on learning, in the moment. But this doesn’t need to be the case.

Ask your trainers and delivery partners where they see the opportunity to have trainees apply learnings in the session. Look at the skills you are developing for and speak with your colleagues and managers about how they have seen employees evolve similar capabilities while on-the-job. Some training providers leverage particular technologies to create hands-on experiences for trainees in the moment. This can not only save you time in training delivery, but also significantly increase knowledge retention of the topic being taught.

Can trainees shadow more experienced staff members? 

Peer-to-peer learning from internal IT colleagues can be a very powerful way to positively reinforce the lessons learned and support ongoing trainee development. You can work with your human resources department to identify key people in the organisation who are already skilled with the desired capabilities, and create a mentorship-style initiative that runs either in parallel with your training program, or runs beyond the conclusion of your training program.

However, to successfully architect a mentorship program, you’ll need to ensure that there is value for the mentor and not just the mentee. Is ‘stewardship of exceptional talent’ a key objective for the organisation? Is ‘supporting other staff’ something that is measured in 360° performance reviews? Will a mentor’s contribution to developing the skills in less experienced staff be valued by the organisation and celebrated openly?

You might find that some of the capabilities you are training for already exist in the organisation, albeit in a very limited number of individuals. Explore what options you have for tapping this knowledge base and socialising it across the trainee group. Doing so may give you the opportunity to further refine your training material while creating high-value touch points for your trainees.

Getting the parameters and scope of your training right will take time. However, the effort spent here will set you up to deliver a successful cybersecurity training program. As you move beyond condensing your scope, you must be mindful that things will change as time goes on. You should avoid assuming that once you have refined your scope, you can simply use this work repeatedly for years to come.

Cyber security threats are fast-moving, and the scope of your training should similarly evolve with these demands. subscribing to Reflare's research newsletter can help you stay up to speed with the ever-changing security landscape, and what it means to you. Review some of our related research briefs, and factor in these lessons when designing your next training cycle.