Learning and development teams are increasingly outsourcing the creation and delivery of IT security training to other departments or third-party vendors. However, not being aware of the limitations of your training solution may be worse than not training at all.
First Published 12th June 2020 | Latest Refresh 15th August 2022
IT security training solutions – same same... but different.
7 min read | Reflare Research Team
Although there are various factors that drive talent development requirements for infosec, over 80% of organisations unsurprisingly report that the two largest reasons for delivering IT security training are 1) to meet compliance requirements, and 2) to increase security awareness.
What is surprising is that many of those in charge of shaping what the training will look like often evaluate different solutions with criteria that is completely devoid of trainee context or workflows. And even worse, many decision-makers will architect their training programs without understanding all the additive benefits they can pick up for little to no extra effort. So many IT security training initiatives leave significant value on the table, but it doesn’t have to be this way.
This research report will guide you through how to correctly evaluate your options when selecting the right IT security training solution that best meets your requirement and budget.
Firstly, it is important to note that there are several actions you should first complete before selecting which training to deliver. To ensure your selection process is successful, we highly recommend you download our step-by-step overview here.
Secondly, once you have completed the prior steps of identifying the right trainees, ascertaining where their skill gaps lie and clarifying what time schedule those gaps should be filled by, the next step is to choose a training solution that will do the job well.
Thirdly, you can now either do this by relying on internal talent, or by finding outside vendors. The following questionnaire will guide you through the process of identifying what solution is adequate for your needs.
If you rely on internal talent to train your wider workforce, make sure that the coaches you select are at least two skill levels above the trainees. Staff members with only a marginally better understanding of the subject matter will not be able to convey the contents well, respond to questions or command the authority necessary for effective training.
Similarly, make sure to address large hierarchical gaps should they exist. For example, C-level executives may be reluctant to accept training from an employee fresh out of university.
Answer the following questions to the best of your abilities. If you lack the data required to answer any of the following questions, now is a good time to gain access to it.
Does the solution cover the training requirements?
Ensure you understand all aspects of training delivery, and they are included in the overall solution. Some IT security training vendors may have complex (and sometimes even convoluted) offerings when it comes to different topic domains within cyber security. Confirm that all your capabilities and compliance requirements are included in your training curriculum, testing (sometimes an extra cost), and reporting (and sometimes, more extra cost). Double-check that everything you need is included in your quote. Avoid nasty billing surprises.
Caution: It is easy to buy training programs that exceed your scope. Many vendors have a financial incentive to sell longer programs covering more cyber security topics. Although it may appear to be better value for money, longer training programs are not better training programs. Your trainees have a finite capacity to take in knowledge and turn it into on-the-job action. Don’t go ‘over the top’ with giving them nice-to-have, unnecessary content. Instead, keep your training concise, stay true to the needs of your organisation, and aim to deliver that content in the most impactful way possible, within the resources you have available.
Make sure that your trainee's experience is on-point, fit for purpose and actionable to their workflow. Remember, buying a solution because it gives you access to “5,000 advanced phishing email templates” might look like a great deal, but will it actually improve the behaviour of your trainees? In reality, almost certainly not.
Is the person or company providing the solution specialised in cyber security?
Be sure to ask your vendor what their security industry credentials are. Who is on the research and support teams to help me deliver the training successfully? Where did these training materials come from?
It can be quite tempting to use training generalists (a-la Udmey) to deliver IT security training. And don’t get us wrong – generalist learning platforms are great... for general information. However, cyber security is an incredibly specialised field that requires certain ways of thinking to deliver meaningful results. Your users are dealing with very sophisticated hackers, malware, and phishing attacks every single day, and you need to match (or preferably exceed) that effort to achieve meaningful cyber resilience not only for today, but also for tomorrow. Although most generalist training platforms can be incredibly cost-effective (and you know in your heart this is true), you ultimately will get what you pay for.
Please, please, please.... be sure to only use proven cyber security training professionals to deliver cyber security capabilities to your team. If you must cut corners to deliver your training, this is not the place to do it.
Can the solution scale to your requirement size?
Many internal and third-party IT security training solutions do not effectively scale. When it comes to training developers and administrators, the most common mode of delivery (unfortunately) is hands-on, live training workshops. This is fine if you are training a small number of tech staff. However, once your numbers start to expand, your price grows non-linear and exponentially. More room hires, more printed materials, more trainers, and more hours for your key tech talent out of business-as-usual activities. Your spend ramps will up, but the positive impact may not.
On the other hand, online, self-paced PowerPoint presentations are incredibly scalable. However, when was the last time you took an online slide-after-slide training presentation only to be met with a relatively benign multiple-choice question at the end? And if you think back to the last time you took one of these, did you actually learn anything from it that changed your behaviour and how you work today? Trainees see this sort of delivery method as an annoyance, and treat it as such. Often clicking through the slide presentation while eating lunch or on a team call, they will randomly click through whatever answers are in front of them until they hit the sufficiency pass grade, and then go back to the day. They learn very little, and retain even less.
“Death by PowerPoint” is a real thing, and should be avoided if at all possible. There are scalable, customisable, and cost-effective solutions in the market (check out this brief video for the latest trends in cyber security training providers) that strike the balance between scalable delivery and high-impact, hands-on capability development. Be sure to explore all possible solutions before making your final decision on who to go with.
Does the solution provider have a track record of success?
Please don’t be tempted to give this initiative to your intern to build and deliver. Additionally, don’t be tempted to give it to the biggest name in the industry just because “no one ever got fired for buying IBM”.
Ask open-ended, explorative questions, and listen attentively to their answers. Can I see testimonials from other customers? How long have you been delivering IT security training? Can I put your training in front of my CISO to review? What other products and services do you sell other than cyber security training?
Conducting basic validity checks on the credibility and track record of your trainers is a must. Seek to understand their history and evaluate their domain expertise. E.G: Have the lead trainers / content designers been quoted in infosec literature or spoken at cyber security events?
Ask context-specific questions directly to the trainer/vendor to evaluate if they have a deep understanding of what your organisation is trying to overcome. Ask how they can partner with you to design a training program that suits your use case, and critically... confirm they have the in-house expertise to help you deliver.
If a job is worth doing, it’s worth partnering with someone who’s successfully done it before.
Download: This simple-to-use questionnaire will help you capture the information needed to evaluate your solution options. (pdf)
Does the solution match your organisation?
When it comes to impactful cyber security training, making the materials relevant to specific trainees is key. If you are developing your training in house, does your lead designer have sufficient understanding and context to customise the training content that speaks directly to the trainee’s workflow?
If you’re looking at third-party providers, ensure that you have the ability to quickly supplement their training materials with your own organisation's messaging or specific internal processes. If you’re using a solution that is not able to be customised, be sure to evaluate how big the Delta is between the training you’re delivering, and the trainee's reality.
We cannot stress how much 'customised training material that speaks directly to the trainee’s reality' will positively impact translating this knowledge into action. A great example of a solution that achieves precisely this might only be one click away.
Correctly evaluating the cyber security training solution needs to be done correctly. Getting this wrong can mean at best you leave value and trainee impact on the table, and at worst your training initiative fails. But do be mindful that what you are training for is constantly evolving. The evolution of cyber security threats is incredibly fast-paced. Adversaries know this, and subsequently, use your 'Annual IT Security Awareness Training' cadence against you.
As a part of selecting the right training solution, you (yes... you the customer to your solution provider) must stay on top of what is happening with the cyber resilience of your teams, and the emerging threats your organisation faces.
The good news is this very research blog can help you stay up to speed with the ever-changing security landscape. Review some of our related research briefs, keep these in mind when evaluating your training solutions, and consider subscribing to receive the latest information directly in your inbox.