Share this
How to Define the Right Cyber Security Training Objectives and Outcomes
by Reflare Research Team on Feb 19, 2023 6:51:00 PM
Identifying the right talent development areas for your organisation's infosec needs is all about asking the right questions... and listening carefully to the answers.
First Published 19th December 2020 | Latest Refresh 19th June 2024
After spending 14 months carefully designing and delivering the company's new IT security training program, Karen discovers that the CFO has just changed his password back to 'solarwinds123'.
6 min read | Reflare Research Team
It's All About Asking the Right Questions
Understanding the appropriate objectives and required outcomes of your training is a crucial step in choosing the right solution for your needs. It is also essential to evaluate the long-term impact of your training initiative. This questionnaire framework will help you achieve that.
The answers to the following questions will allow you, and by extension - your organisation, to identify who should be trained, what they should be trained on, what outcomes the training should have and how those outcomes should be measured. Based on the answers to these questions you will be able to select training programs and configurations that best suit your use case.
You can answer the questionnaire yourself. However, we highly recommend that you also consult other key people in your organisation (Head of IT, Business Unit Leaders, Legan & Compliance Officer) with these same questions to ensure you have a holistic perspective of what IT security capabilities you need to develop for, both now and the future.
Each question will require you to consider the skills and behaviours your organisation needs to develop, and the metric required to measure said development.
Identifying Challenges
In this first section, you will need to identify what challenges your organisation faces and how they relate to training. Do not attempt to set distinct training objectives yet. That is the content of a later step.
What are the main three challenges your organisation faces with regard to cyber security?
Think about the security challenges you are currently facing, have been facing or anticipate facing. Be careful not to focus only on the staff members or organisational units close to yourself. Consider all major divisions and all types of staff. If you lack the data required to make this assessment, this is the time to gather it.
How do the three challenges identified above relate to training?
Examples include increased phishing awareness in response to targeted attacks against your organisation and better code security by upskilling developers. Think about how the challenges relate to the skills of your employees and in which ways improving said skills may impact the challenges.
Setting Objectives
Based on the challenges and relations established in the previous section, the following questions will help you determine and set objectives for your cyber security training rollout.
What are the skills required for your staff members to meet the objectives laid out above?
Make sure to think about the different levels and divisions of your organisation. This answer will most likely be multi-faceted. The skills required of a senior manager in a marketing team will be very different from those required of a developer in a tech division. Depending on the breadth of your business and the height of your organisational structure, the length of the answer to this question will vary.
Which of the skills laid out above is most important or least important? Which ones represent the best investment and should be trained first?
Structure the skills laid out above into groups. Some will stand out as high-value skills with immediate, measurable payoffs. Others will have a lower value. Others still may only see payoffs in the very long term. Assess which skills your organisation should focus on. It is important to resist the urge to only include skills that are easily measurable. However, a good combination will include a combination of skills that between them are important, measurable, and actionable. A good timeframe for this assessment is the coming 2-5 years.
Segmenting Your Training
Now that the skills and objectives for training your organisation are identified, we can circle back to your workforce to create the segments to which the training is deployed.
What staff segments have large skill gaps that need to be addressed?
Look over the various segments of your workforce and determine if they require one of the skills determined above. If the answer is yes, next determine if they are already sufficiently trained in said skill. If not, then this is a segment that should be targeted by training. Run through the segments one by one and mark all that would benefit greatly. Do not try to filter out segments that appear less important during the first pass. You will filter them in the coming steps.
Is there a minimum seniority level that is required for training?
In most organisations, more training will become available as members move up the seniority ladder. While information security is one of the most universally trainable topics, there will still be a low-end cutoff. For example, 1-week interns do not require to be trained on complex cyber security matters. While it would benefit them greatly, the expense would be wasted due to their short time with the organisation.
Is there a minimum technology level that is required for training?
This question is extremely important for cyber security training. For example, training that covers the ins and outs of offensive security is very useful for developers and code auditors but virtually useless for managers. This is true even if all of them work in the same department.
Are there any other factors that need to be considered for training applicability?
Guides can never fully capture the complexity of real-world organisations. There may be departments with high turnover where training resources will have a low RoI. Alternatively, there may be departments moving into highly technical tasks in the near future that will benefit greatly from training even though they do not technically qualify for it now.
Download: This handy questionnaire allows you to capture all the information needed to successfully define your cyber security objectives and outcomes. (pdf)
Establishing Outcomes
You have identified challenges and set objectives based on them. The objectives have been correlated with skills and your staff segments have been evaluated based on their need for said skills. All that is left is to establish what outcomes you are aiming for and how they will be measured.
What outcomes can we expect from each segment after training?
It is a good idea to be as detailed as possible when answering this question. While it does not require a lot of detail per se, this is a good chance to identify incongruities in the previous steps. For each segment, consider their anticipated training and what the result of that training will be. Naturally, an improvement in the associated skill is going to be the primary result of training. However further outcomes can be established by considering how these improvements will impact the objectives and challenges they are tied to.
How will the outcomes be measured?
The answer to this question is highly dependent on the skills you are training. Some skills like phishing awareness training relate to frequent and quantifiable events. Others like secure coding have much longer and more irregular feedback loops. Try to establish metrics that are appropriate for the respective outcomes. In some cases, the timeframe will need to be long in order to capture enough data. If you cannot work with long timeframes either redefine your skills and objectives or balance easily measurable objectives with those that are harder to track. The right ratio will depend on your organisation and your management structure’s tolerance for ambiguity.
The benefits you identify in the previous section will also allow you to see if the training you implemented is adequate. If after a while the metrics do not show improvement relevant to your organisation, it might be time to look for a new vendor with a better fit.
Correctly defining your training objectives and outcomes is critical to staying on top of the security requirements of your systems and networks. However, the demands for specific infosec capabilities will evolve, often much faster than you are ready for. Staying up to speed with the challenges peer organisations are grappling with will help you (and your training outcomes) stay ahead of the curve. Review some of our related research briefs below, and leverage these lessons when planning your next training cycle.
Share this
- December 2024 (1)
- November 2024 (1)
- October 2024 (1)
- September 2024 (1)
- August 2024 (1)
- July 2024 (1)
- June 2024 (1)
- April 2024 (2)
- February 2024 (1)
- January 2024 (1)
- December 2023 (1)
- November 2023 (1)
- October 2023 (1)
- September 2023 (1)
- August 2023 (1)
- July 2023 (1)
- June 2023 (2)
- May 2023 (2)
- April 2023 (3)
- March 2023 (4)
- February 2023 (3)
- January 2023 (5)
- December 2022 (1)
- November 2022 (2)
- October 2022 (1)
- September 2022 (11)
- August 2022 (5)
- July 2022 (1)
- May 2022 (3)
- April 2022 (1)
- February 2022 (4)
- January 2022 (3)
- December 2021 (2)
- November 2021 (3)
- October 2021 (2)
- September 2021 (1)
- August 2021 (1)
- June 2021 (1)
- May 2021 (14)
- February 2021 (1)
- October 2020 (1)
- September 2020 (1)
- July 2020 (1)
- June 2020 (1)
- May 2020 (1)
- April 2020 (2)
- March 2020 (1)
- February 2020 (1)
- January 2020 (3)
- December 2019 (1)
- November 2019 (2)
- October 2019 (3)
- September 2019 (5)
- August 2019 (2)
- July 2019 (3)
- June 2019 (3)
- May 2019 (2)
- April 2019 (3)
- March 2019 (2)
- February 2019 (3)
- January 2019 (1)
- December 2018 (3)
- November 2018 (5)
- October 2018 (4)
- September 2018 (3)
- August 2018 (3)
- July 2018 (4)
- June 2018 (4)
- May 2018 (2)
- April 2018 (4)
- March 2018 (5)
- February 2018 (3)
- January 2018 (3)
- December 2017 (2)
- November 2017 (4)
- October 2017 (3)
- September 2017 (5)
- August 2017 (3)
- July 2017 (3)
- June 2017 (4)
- May 2017 (4)
- April 2017 (2)
- March 2017 (4)
- February 2017 (2)
- January 2017 (1)
- December 2016 (1)
- November 2016 (4)
- October 2016 (2)
- September 2016 (4)
- August 2016 (5)
- July 2016 (3)
- June 2016 (5)
- May 2016 (3)
- April 2016 (4)
- March 2016 (5)
- February 2016 (4)