How to Define the Right Cyber Security Training Objectives and Outcomes

Identifying the right talent development areas for your organisation's infosec needs is all about asking the right questions... and listening carefully to the answers.

First Published 19th December 2020  |  Latest Refresh 19th February 2023

After spending 14 months carefully designing and delivering the company's new IT security training program, Karen discovers that the CFO has just changed his password back to '123456'.

6 min read  |  Reflare Research Team

It's All About Asking the Right Questions

Understanding the appropriate objectives and required outcomes of your training is a crucial step in choosing the right solution for your needs. It is also essential to evaluate the long-term impact of your training initiative. This questionnaire framework will help you achieve that. 

The answers to the following questions will allow you, and by extension - your organisation, to identify who should be trained, what they should be trained on, what outcomes the training should have and how those outcomes should be measured. Based on the answers to these questions you will be able to select training programs and configurations that best suit your use case.

You can answer the questionnaire yourself. However, we highly recommend that you also consult other key people in your organisation (Head of IT, Business Unit Leaders, Legan & Compliance Officer) with these same questions to ensure you have a holistic perspective of what IT security capabilities you need to develop for, both now and the future. 

Each question will require you to consider the skills and behaviours your organisation needs to develop, and the metric required to measure said development. 

Identifying Challenges

In this first section, you will need to identify what challenges your organisation faces and how they relate to training. Do not attempt to set distinct training objectives yet. That is the content of a later step.  

What are the main three challenges your organisation faces with regard to cyber security? 

Think about the security challenges you are currently facing, have been facing or anticipate facing. Be careful not to focus only on the staff members or organisational units close to yourself. Consider all major divisions and all types of staff. If you lack the data required to make this assessment, this is the time to gather it. 

How do the three challenges identified above relate to training?

Examples include increased phishing awareness in response to targeted attacks against your organisation and better code security by upskilling developers. Think about how the challenges relate to the skills of your employees and in which ways improving said skills may impact the challenges. 

Setting Objectives

Based on the challenges and relations established in the previous section, the following questions will help you determine and set objectives for your cyber security training rollout.

What are the skills required for your staff members to meet the objectives laid out above? 

Make sure to think about the different levels and divisions of your organisation. This answer will most likely be multi-faceted. The skills required of a senior manager in a marketing team will be very different from those required of a developer in a tech division. Depending on the breadth of your business and the height of your organisational structure, the length of the answer to this question will vary. 

Which of the skills laid out above is most important or least important? Which ones represent the best investment and should be trained first? 

Structure the skills laid out above into groups. Some will stand out as high-value skills with immediate, measurable payoffs. Others will have a lower value. Others still may only see payoffs in the very long term. Assess which skills your organisation should focus on. It is important to resist the urge to only include skills that are easily measurable. However, a good combination will include a combination of skills that between them are important, measurable, and actionable. A good timeframe for this assessment is the coming 2-5 years. 

Segmenting Your Training

Now that the skills and objectives for training your organisation are identified, we can circle back to your workforce to create the segments to which the training is deployed.

What staff segments have large skill gaps that need to be addressed? 

Look over the various segments of your workforce and determine if they require one of the skills determined above. If the answer is yes, next determine if they are already sufficiently trained in said skill. If not, then this is a segment that should be targeted by training. Run through the segments one by one and mark all that would benefit greatly. Do not try to filter out segments that appear less important during the first pass. You will filter them in the coming steps. 

Is there a minimum seniority level that is required for training? 

In most organisations, more training will become available as members move up the seniority ladder. While information security is one of the most universally trainable topics, there will still be a low-end cutoff. For example, 1-week interns do not require to be trained on complex cyber security matters. While it would benefit them greatly, the expense would be wasted due to their short time with the organisation. 

Is there a minimum technology level that is required for training? 

This question is extremely important for cyber security training. For example, training that covers the ins and outs of offensive security is very useful for developers and code auditors but virtually useless for managers. This is true even if all of them work in the same department.  

Are there any other factors that need to be considered for training applicability? 

Guides can never fully capture the complexity of real-world organisations. There may be departments with high turnover where training resources will have a low RoI. Alternatively, there may be departments moving into highly technical tasks in the near future that will benefit greatly from training even though they do not technically qualify for it now.  

Download: This handy questionnaire allows you to capture all the information needed to successfully define your cyber security objectives and outcomes. (pdf)

Establishing Outcomes

You have identified challenges and set objectives based on them. The objectives have been correlated with skills and your staff segments have been evaluated based on their need for said skills. All that is left is to establish what outcomes you are aiming for and how they will be measured. 

What outcomes can we expect from each segment after training? 

It is a good idea to be as detailed as possible when answering this question. While it does not require a lot of detail per se, this is a good chance to identify incongruities in the previous steps. For each segment, consider their anticipated training and what the result of that training will be. Naturally, an improvement in the associated skill is going to be the primary result of training. However further outcomes can be established by considering how these improvements will impact the objectives and challenges they are tied to. 

How will the outcomes be measured? 

The answer to this question is highly dependent on the skills you are training. Some skills like phishing awareness training relate to frequent and quantifiable events. Others like secure coding have much longer and more irregular feedback loops. Try to establish metrics that are appropriate for the respective outcomes. In some cases, the timeframe will need to be long in order to capture enough data. If you cannot work with long timeframes either redefine your skills and objectives or balance easily measurable objectives with those that are harder to track. The right ratio will depend on your organisation and your management structure’s tolerance for ambiguity. 

The benefits you identify in the previous section will also allow you to see if the training you implemented is adequate. If after a while the metrics do not show improvement relevant to your organisation, it might be time to look for a new vendor with a better fit. 

Correctly defining your training objectives and outcomes is critical to staying on top of the security requirements of your systems and networks. However, the demands for specific infosec capabilities will evolve, often much faster than you are ready for. Staying up to speed with the challenges peer organisations are grappling with will help you (and your training outcomes) stay ahead of the curve. Review some of our related research briefs below, and leverage these lessons when planning your next training cycle.