In-house security training is often a knee-jerk, last-minute moment for most companies, and course development is typically crammed into a CISO’s workload, which is already sitting at 110%.
It’s not that the content isn’t good, or the trainer inexperienced, it’s just that companies don’t really have the time to develop, maintain and improve course material. They need to be focused on what they do best, which is sell their products and/or services and maximise profit.
Having a company’s CISO hand-deliver training is risky, not least because it may not elicit much in the way of two-way communication. The same staff who have been reprimanded by the same CISO for clicking on clickbait may not be so willing to put their hand up and ask questions, for fear of further reprimand. Well, that’s really the result of bad company culture and a military-style command structure, but I won’t delve into that further.
On the other hand, a decent outsourced training provider would have delivered and developed content over many years. It will already have a polished look and feel, and a trainer can confidently breeze through it. He or she will happily answer questions and won’t need to be at the end of a phone to handle any priority one incidents.
Cyber security training should also not just be seen as an annual exercise to satisfy FCA, ISO or PCI compliance. The phenomenon of training fade is by now well proven, whereby staff simply forget what they’re taught after a few weeks, or a few months if you’re lucky. Some do so in a few days, but let’s not bring your board into it…
I do think in-house training can work if you have a dedicated trainer, or in-house security awareness champions, and this is a route some larger companies will take. But it boils down to this: is using in-house staff cost-effective, and is it what they really want to be doing?
Average salary in London, for example, is about £35,000. But a decent suite of continually improving cyber security training courses, videos, email campaigns and so on will cost a fraction of this, and you’ll know the job is being done properly as nobody seems to trust their own staff when it comes to cyber anyway. Again, a culture problem.
I’ve said many times before that cyber security isn’t just simply the CISO’s problem, it’s everyone’s, and until companies start trusting and empowering their staff when it comes to cyber, not even the best cyber security trainer can ever help you.