Large companies that develop a wide range of solutions, including security-critical software, and provide security monitoring and incident response services, make use of a wide range of security and security awareness training. This takes many forms and needs to cover a large number of topics at different levels of technical understanding.
If I search a corporate training catalogue for “Security”, I get well over 200 hits, ranging from basic security awareness training for all employees, through cyber awareness and risk for executives and more detailed secure DevOps training for developers to advanced courses on digital forensics and malware analysis for incident responders.
The majority of this is provided externally, but companies also do develop their own training internally as well as develop and sell tailored security training to others.
The first step in developing any training programme is therefore identifying the training need based on the role and technical ability of the trainee, as well as the outcome to be achieved by the training. There are a large number of different roles and people with different abilities, so we need a set of training programmes to match. The make/buy question – the decision on internal or external training – can only be addressed when you have identified that need.
Once there is a defined training need, there are a number of things to consider, all of which will impact on the make/buy decision, including:
Certification – If you are providing professional services to other organisations, then you may need independent certification, for example through a recognised programme. In some cases, the certifier’s own training will be a prerequisite for the certification (eg SANS), while in others, internal or third-party training can be used (eg CISSP).
Engagement – Cyber security is in many ways intangible, so it can be difficult to engage those for whom security is not part of their everyday activities and believe that security is the IT department’s job and they will just call them if there is a problem. It is therefore important to make awareness training, in particular, interesting and relevant to the trainee’s everyday life, possibly using home situations when there is no helpdesk to call to illustrate the consequences of a cyber attack and create a motivation to learn to protect themselves. Humour can also be useful in lightening what can be a dull topic for some, making the message more memorable.
The training needs to contain some level of interaction from the user. Simply teaching from a deck of slides is rarely effective, particularly with more detailed technical topics. Many online training courses are very good at this, including animation games and interactive feedback to engage the trainee and also assess how much they have learned.
Deeper technical topics will need to include hands-on exercises in real, or simulated, environments so that users can learn in realistic circumstances, ideally with a library of pre-defined attacks that can be used to test how they respond. The ability for the trainer to monitor individuals’ activities and to record and replay events also makes this a very powerful learning environment.
Evolving with the real world – Cyber security is a rapidly moving topic, so any training should evolve to keep up with what is happening in the real world. An example of this is using simulated phishing emails to test and train users on how to recognise this kind of attack. This can certainly be effective and you are likely to see a reduction in users failing to spot phishing emails as the exercise is repeated.
However, if the same or similar phishing and social engineering techniques are used each time, users may appear to have improved, but still fail to spot real phishing emails because the attackers have changed their approach. It is therefore important to factor in the cost of maintaining the training to reflect real-world changes if you plan to develop your own training.
Most companies will need to develop some internal training, or have training tailored to their specific situation. But for more general-purpose training, buying can be a better route, because of the cost of developing the training and maintaining it in a changing cyber environment.
All in all, the main thing is to fully understand the training need before making a make/buy decision, or engaging with a supplier.