Share this
by Reflare Research Team on Jun 27, 2023 6:59:00 PM
Having an acute understanding of not just the 'what', but the 'why' your staff members require specific capability development is critical for deploying training that gives the business what it really needs.
First Published 12th August 2020 | Latest Refresh 27th June 2023
Staff Development GOOOOOOOOOOAL!!!
7 min read | Reflare Research Team
Don't Be Misled By Your Own Biases
Understanding what IT security capabilities your organisation needs is pretty obvious to most who are in charge of learning and development. However, all too often trainees find themselves sitting through mundane and generic infosec presentations that are so far removed from their day-to-day reality that they are viewed as a complete waste of time. Don't believe us? Ask them! And while you're at it, there are a few other questions you should ask to gather objective evidence for ensuring your development goals are a) what trainees actually what, and b) what the organisation actually needs.
This research article will lead you through the discovery process required to define the cyber security development goals that matter most and will yield the greatest impact.
Questionnaire Overview
The answers to the following questions will allow you (and by extension, your organisation) to identify the supports best suited to your training needs. These supports may be formally codified or informally provided.
Taking Stock
In this section, you will discover the current state of your organisation and where you would like to head. This will form the basis of your analysis.
What changes in behaviour are you trying to achieve?
This is a question around gathering data from across the organisation and deriving meaningful, objective requirements for where the behaviour of staff needs to be. Be sure to avoid ‘group think’ by ensuring you speak with different stakeholders from different departments of the organisation. If you only speak with sales managers about what they think ‘better security behaviour’ looks like, then you will unsurprisingly create objectives that only cater to the perspectives of the sales department.
Additionally, “creating greater security awareness” or “improving infosec compliance” might be completely reasonable objectives. However, they are too abstract when defining concrete outcomes to build meaningful goals around. It pays to push a bit harder to define specific, observable behaviours related to specific technologies or processes that you want your training to deliver on.
What gaps in skills are you trying to overcome?
It’s one thing to ask staff to behave in a particular way, but do they even possess the skills needed to make the desired behavioural change commonplace? Identify the key skill (or combination of skills) needed to allow staff to naturally evolve their ways towards the behavioural change that becomes second nature. Speak with those who manage the trainees, and seek to understand what practical and operational skills are required to deliver with a high degree of IT security in place.
Are the technological requirements of your employees evolving? Are new systems and processes being introduced? Are your recruitment practices employing talent without evaluating for the skills that you are now being asked to train for? Possessing an understanding of how these skill gaps came to be will help you diagnose if training for these skill gaps alone will solve the problem, or establish if you are up against something beyond the scope of your training.
Have there been previous initiatives aimed at overcoming the same skill gap? If yes, were they successful and should they be replicated here?
Spend some time taking stock of prior IT security training initiatives, and understand, in detail, why they succeeded or failed. Speak to past trainees and gain their insights on what they liked and didn’t like about their prior training experiences. It may be a circumstance that you don’t have to completely reinvent the wheel from scratch, or it might be wise to start with a clean piece of paper. If you don’t know where the organisation has come from, it is more difficult to map a credible path forward.
Is there any documented feedback from prior IT security training sessions that you can review? How did your organisation measure (if at all) the impact of prior IT security training? It is also important to be mindful that IT security training that was done in the past may not necessarily be representative of the IT security training that is needed today. The times are a changin’. However, be cautious of the influence of new security fads! The only industry more fashionable than ‘fashion’ is ‘tech’. Just because something is brand-new doesn’t necessarily mean it’s good for the organisation... or that you must train for it.
Messaging
Now that you know where you are and where you need to get, the next section will examine how the need for improvement is best conveyed to your workforce. Great messaging can often do what droves of internal policies and incentive structures cannot.
How can the gap in behaviours and skills best be framed for the workforce?
It is vital you break down the purpose of your security training into impractical and unambiguous terms. Make sure to speak the language of your trainees, and translate training objectives into the risks mitigated, the value created, and the impacts on workflows when the lessons from the training are successfully embedded into the organisation.
If trainees have an understanding not only of 'the how' they are being trained, but also 'the why' they are being trained, they will be less resistant to see this as yet another box-ticking exercise from head office. Aim to communicate at a personal level the positive implications that come from successfully completing this training, and adopting the lessons learned into their day-to-day activities.
How can the new skills and behaviours be conveyed?
The mode of communication should suit the culture of the organisation. For some organisations, it is a ‘stand and deliver’ message from the most senior person in the leadership team. For others, it should be delivered at the individual work team level by a respected peer. It’s important to acknowledge that it’s not what you say, but it’s how you’re heard. If you deliver business units an email from HQ where there is a ‘us and them’ culture, then it is reasonable to respect rolling eyes as your response. Know your audience, and meet them where they are – not where it’s convenient for you.
Modes of delivering an IT security training message can be a broad-brush as an announcement as the next ‘All-Hands’ meeting, an internal webinar, or all staff email. More personalised communications can come in the form of informal lunch and learn sessions, shared next steps during 360 performance reviews, or personalised outreach to individual team managers with scripting for how to pass forward the message within a specific time frame. And sometimes it will be a combination of all the above. The key is to go for authenticity in message delivery while credibly demonstrating why IT security is important to them individually, with positive reinforcement throughout the training journey.
What is the timeline for skill and behaviour changes?
All good capability development goals are time bound. However, it is unreasonable to expect everything to change the day after your security training is delivered (although that would be nice). Your timelines must be based on a realistic expectation of your training program to deliver the learnings, your trainees to accept and embed the learning, and then your managers to observe behaviour moving from what was to what will be... which all takes time.
Positive reinforcement of training outcomes, and the organisation's commitment to the team achieving these outcomes, will shorten the speed of knowledge becoming action. Positive reinforcement of the desired behaviours one week, two weeks, four weeks, and six weeks after the training has concluded is wise. Additionally, managers should be continually encouraging their teams to apply lessons learned to their workflows. Although you may have dream employees and could be lucky, if you assume that your trainees will automatically ‘just do it’ without any ongoing support post training delivery, your benefits might take a very, very long time to arrive. The stronger your trainee support structure is to reinforce the learnings after the training, the quicker you will see the benefits of the training in business-as usual-operations.
Download: This easy-to-use questionnaire will help you document the information needed to define the right development goals. (pdf)
Roadblocks
You now know what skills and behaviours need to be changed and how to do it. In this next section, we will go over potential roadblocks to make sure they do not interfere with implementation.
Do any of the planned activities require additional resources or approval?
Good IT security training planning should consider resources Beyond just the training itself. Resources can come in the form of talent such as leadership (EG: using a CXO executive to echo the importance of the training), executive sponsorship (to ensure you have someone upstairs prepared to fight for your training to go ahead should someone want to pull resources away from you), and managers (to support trainees translating knowledge interaction post-training). Think through these key stakeholders, and be sure you give them what they need to help you succeed.
Securing written sign-off from your compliance team to ensure your training supports relevant standards the organisation must adhere to is a fundamental ‘must do’. “Often the resource here will be time. Time to explain, time to negotiate, and time to comply. Ensure you work hand-in-hand with your compliance team, as leaving them behind until this stage in the process could set you back weeks or even months.
Should you be using a third-party IT security training vendor, ensure you are aware of any hidden costs that might exist beyond the contracted agreement. What is the implication should the number of trainees grow or the scope of IT security topics increase? Get ahead of any surprises before you lock down your budget. Where possible, allow for a little bit of scope creep. However, if you have diagnosed the IT security training requirements of the organisation correctly, you shouldn’t have many resourcing challenges.
How can the gap in behaviours and skills best be framed for the managers overseeing the workforce?
Some would argue that this question is encapsulated in the prior question. However, when it comes to the successful execution of the training, the role of workforce managers is not to be underestimated. How do they perceive IT security in their department? Do they believe the time investment of the team undergoing security training will give them a valuable return on investment?
Many managers work diligently to keep ‘non-core activities’ away from their workforce, as they see it as a distraction from the efficiency they strive to achieve. You need their buy-in! You may need to sit with these managers and explain in very visceral terms the value your training will give the department. Invest this time, listen to their concerns, be transparent in your intentions, and work with them – not against them. If you build your manager into an IT security ally, your probability of rolling out a successful training program will increase significantly.
Correctly defining clear and unambiguous cyber security development goals is vital not only for delivering practical skills to your trainees, but also for gaining commitment from senior stakeholders to help support the transition from 'training knowledge' into 'workflow action'. However, this will not be a 'one-time' process, as your talent development goals will need to change with evolving IT security practices and new security threats.
This very research blog can help you stay up to speed with the ever-changing security landscape. Review some of our related research briefs, and factor in these lessons when planning your next training cycle.