Last of a 3-part series based on the CyberRisk Alliance/Immersive Labs eBook “Achieving Cyber Resiliency Through Workforce Optimization.”
Many existing cybersecurity training courses do not adequately prepare your workforce for responding to security incidents. Training courses are boring, take up too much time, are often outdated and, worst of all, your staff may resent doing them.
It's far better instead to implement a series of short, interactive, engaging exercises that staffers can do on their own time, and to assign new exercises every two or three months so that new threats can be incorporated. In that way, your workforce can be truly optimized and prepared to respond to cyber threats.
The downsides of traditional cybersecurity training
Most organizations conduct cybersecurity training sessions for their employees, but the format of these sessions are ineffective. The training typically consists of a half-day or full-day session during in which staffers passively watch slideshows outlining proper security procedures and are then given multiple-choice quizzes to demonstrate what they have "learned."
The primary aim of such exercises is often not to strengthen a company's cybersecurity posture, but instead to certify that most employees have been trained according to the parameters of the course. The company wants most staffers to pass; in that way, it can say that its cybersecurity training requirements have been fulfilled for the next six or 12 months.
Alert, attentive employees will indeed learn from such sessions, and a company's cybersecurity stance will improve if at least some of the employees come out with a better understanding of how to spot and respond to phishing emails, social-engineering attacks and other commonplace threats.
However, many other employees will regard the training sessions as a chore to be endured and may resent the chunks of time taken out of their busy schedules.
"PowerPoint presentations don't work with adults," said Bec McKeown, director of human science at Immersive Labs and a psychologist who previously worked with the UK's Ministry of Defense. "They're not kids, not naive blank slates."
Furthermore, the often-passive nature of the training doesn’t encourage employees to dynamically react to new threats, especially if the threat scenarios presented during the training are implied to be the only kind that employees need worry about. And the long stretches of time between training sessions, which in some firms occur only once a year, ensure that the lessons learned are soon forgotten.
The benefits of next-generation cybersecurity training
A new type of cybersecurity training, such as Immersive Labs' Cyber Workforce Optimization, aims to solve these problems by replacing long, infrequent, passive exercises with short, frequent, dynamic ones. Instead of yearly sessions that take up a whole day, these next-gen training exercises run from 20 to 90 minutes.
Instead of having to dedicate hours of their time to group sessions, employees can use a web browser to run through individual exercises at their own paces and schedules. Instead of having to watch a dull slideshow and then be quizzed on what was presented, employees are made to participate in threat exercises during which they are forced to make decisions, either by themselves or as part of a group.
These short sessions can be conducted every two months or so, making sure that an employee's skills are kept sharp through repeated use. The sessions need not be the same every time; the very fact that the skills are being used will be enough to keep the employee primed.
Finally, the individuality and flexibility of the training sessions means that each employee's exercises can be fine-tuned to that individual's skill set, aptitude, previous experience and current role. You wouldn't expect an ad-sales rep to need the same training as the COO.
This process consists of "making sure the right people have the right levels of skills, knowledge and judgment at the right time," said Immersive Labs' McKeown. "It's the optimal way of doing things. You're not wasting time, money and energy in giving everyone the same sort of training when they just don't need it."
Steps to take toward next-generation cybersecurity training
Whether or not you implement Immersive Labs' Cyber Workforce Optimization or a similar program, here are half a dozen steps to make cybersecurity training something that your employees can look forward to and truly learn from.
1. Break up the training into bite-sized chunks: Nix the interminable PowerPoint slideshows. Break up the training into individual sessions covering only one or two topics each. These should take an hour or less so that staffers can return to their normal duties without too much disruption.
2. Hold exercises more frequently: Replace the yearly session with bimonthly exercises, which will keep employees' skills sharp and their knowledge up-to-date. Each exercise can cover different topics but should include a core set of lessons.
3. Make the exercises interactive: Staffers will learn more if they're active participants in their own learning processes, creating both more engagement and a larger sense of ownership of your company's cybersecurity posture.
4. Fit the training to the job: Different jobs require different cybersecurity skill sets, and training should be tailored to an employee's role and responsibilities. Don't train someone to acquire a skill they'll never use — instead, use that time to add skills particular to their positions.
5. Let employees learn at their own pace: Assume that your employees can manage their own time, and don't dictate when to take cybersecurity training. Let them do it according to their own schedules. Many employees will do the exercises after hours without any time taken away from normal business.
6. Let employees make mistakes: It is not necessary to penalize employees for getting something wrong during training, and in most cases, people learn from their mistakes. Put employees in simulated crisis scenarios during the training and let them make their own decisions — and have discussions about what they could have done better. Next time, they'll know what to do.