Every year, you offer an IT security training program to your employees. You hope it is good enough to keep the company safe from phishing, spear-phishing and social engineering. There’s just one problem. If you have no way to verify the effectiveness of your training, your training might be creating more problems than it solves.
Fighting The Last War: When Training Goes Wrong
In IT security, you face a continually changing series of threats. That means your cybersecurity training from 2012 is probably no longer good enough. If you keep training people on out-of-date threats and technologies, you are effectively fighting the last war. To use a military analogy, out-of-date cyber training is like emphasizing horseback riding skills in the 21st century. Those skills are not simply not adapted to today’s needs.
The Five Steps You Need To Measure and Improve Your IT Security Training
Rather than crossing your fingers and merely hoping you don’t get hacked, use this five-step procedure to evaluate your training.
1) Inventory The IT Security Training You Provide
Most companies we work with rely on a combination of IT security training offerings. At a minimum, your list of training will include:
- New Employee Training. When a new hire joins the organization, they may receive training on a wide variety of topics, including IT security. Make a note of this material for evaluation.
- Role Specific Training. Some job types face special risks. For instance, you might train your software developers to build security into their designs.
- Advanced Training. In the IT department, you may decide to fund some staff to earn outside certifications from ISACA and other leading organizations.
To build your inventory, make sure to speak with a variety of stakeholders, including human resources, a new hire, a manager and the IT department.
2) Compare IT Security Training To Your IT Security Objectives
Ultimately, your company provides IT security training because it contributes to your objectives. However, some companies let their training lag behind their strategy. For example, you may have made a strategic transition to the cloud a few years ago. However, if your IT training lacks strong coverage of cloud-specific security risks, your employees will have knowledge gaps.
3) Review IT Security Metrics and Reports
In the previous step, you looked at the strategic alignment between IT security training and your overall IT strategy. That is a helpful 30,000-foot view of training effectiveness. To hone in on the details, consider these points.
- Completion Rates. Training nobody completes does not add value. Check your training system for completion reports. Further, ask if your managers and human resources department has a process to follow up with each employee to ensure training is completed.
- Training Scores. Some IT security systems provide simple pass-or-fail reports. It’s more helpful to get detailed training scores. Why? A comprehensive score will identify specific areas (e.g. access management) where the training is unclear or where employees need more help.
- Training Feedback. What processes do you have to obtain feedback from users? Without feedback, it is difficult to know what you need to change. You may find that employees want more examples and exercises to find out how to apply IT security techniques in their daily work.
4) Interview Stakeholders For Feedback
In the event you have rich and highly detailed reporting and comments about your IT security training, you can skip this step. However, we find that most organizations benefit from discussing IT security training with their stakeholders. You could use a survey or conduct a few workshops to gather feedback.
Use these discussion prompts to start the conversation with your stakeholders:
- Did you find anything unclear or impractical with our IT security tools and processes?
- What concept or technique did you find most helpful from IT security training?
- If you could change anything in the company’s IT security processes or technology, what would you change?
- What IT security systems take the most time to use? (If you receive no response, mention a few specific systems you use.)
After this step, examine the comments that came up. You will have a lot of feedback to sort through. Look for the most common feedback (e.g. everyone complained about password resets) and easy wins (e.g. people not knowing how to complete a process).
5) Identify Easy Wins To Improve IT Security Skills
By this stage, you have an understanding of your goals and the gaps in your training effectiveness. Your next step is simple. Develop a one-hour IT security training workshop designed to address one need that employees have with security. For example, offer a training series on simple ways to use multi-factor authentication (MFA). If that is too advanced for your users, start with an introductory password training session.
In this step, give yourself the constraint of developing a 60-minute IT security training session. After you deliver it, review your findings from the earlier steps and select the next area to assess for a quick win. Over time, your employees will gradually become more skilled in IT security.
How To Make Next Year’s IT Security Training Much Easier
Providing in-depth IT security training to every employee is difficult to achieve for most companies. There are so many security threats, and you only have so much capacity for training. There is a straightforward way to lighten the burden by using technology. Use better IT security software tools which ease the administrative burden of maintaining security. Less time on administrative tasks means your team has more bandwidth to make smart security decisions.
You might have a training module for managers today showing them how to file approvals for access requests. Instead, use Compliance Auditor to track requests. It keeps user requests and manager approvals all in a single place.Alternatively, use Apollo to streamline the password reset request. When companies impose complex passwords, it is more challenging for employees to remember those passwords. Make it easy for employees to get new passwords whenever they need them.