Emma Bickerstaffe is a Principal Research Analyst with the Information Security Forum (ISF).
In-house or outsourced? What makes a good security training programme, and what questions should buyers ask when procuring training as a service?
Every organisation requires an impactful security training programme that hardwires employees to intuitively perform their roles securely.
No matter how advanced technological solutions become, human error and negligence will always be a prevailing risk that organisations must proactively mitigate. Instilling and sustaining good security behaviour is a fundamental measure to prevent, identify and respond to security incidents caused by “the human factor”.
Whether such a programme should be developed and deployed in-house or outsourced to an external provider depends on the size and maturity of an organisation’s information security function. Even those organisations with the specialist expertise and resources necessary to develop and run a security training programme in-house may turn to training as a service as an input to their programme.
A security training programme should be designed to enable employees to identify cyber threats and report actual or suspected security incidents. It should not be delivered in isolation, but as a holistic programme based on psychological theory, which combines security education, training and awareness (commonly known as SETA) with practical initiatives that guide employees to make the right security decisions.
Developing systems, applications and processes in a way that promotes secure behaviour but does not hinder productivity (e.g. through visual cues or audio prompts) enables employees to proactively apply their learnings from SETA. Importantly, it also reminds them of the options available to them.
When procuring training as a service, buyers need to move away from a compliance-focused mindset to select a solution that is most applicable to the organisation’s specific context. Buyers can only know what solution they need if they understand the factors that are contributing to poor security behaviour.
A preliminary step is to establish the attitude of the workforce to security training (often linked to the corporate culture), the constraints imposed by security that employees dismiss as blockers to doing their job, and their general familiarity with secure practices. This analysis will put buyers in the best position to identify what they actually need in a training programme, so to select the solution that will work best for their organisation.
To be successful, a training programme must resonate with the audience; it must impart the desired knowledge, skills and competencies, and it must be conveyed in a stimulating manner that motivates employees to behave securely. Buyers should therefore consider whether the content is pitched at the right level – can it be tailored to specific roles and responsibilities, and how is that content delivered?