The value of cybersecurity training has been universally recognized by most organizations, in much the same way baseball and apple pie exemplify American culture. But developing an effective cybersecurity training program, like winning a pennant or baking a flaky pie crust, requires skill, effort, and the right ingredients.
Security chiefs already know that cyber training can cut back on staff losses at a time when the talent shortage still plagues companies. Studies show that instead of taking their new skills elsewhere for more money, highly-trained staff stay on the job the longest. But enterprises need to build space for this learning and make it useful. Two-thirds of security professionals say they want to keep up with their cyber training, but only 17% say they have the time, because of the demands of their jobs.
This sets a pretty high bar for successful cyber education. Everyone has their recipe for an efficient program. Here are eight ingredients that can help deliver a meaningful experience for learners and lead to an improved security posture:
- Make the coursework relevant to real-world jobs. Don’t expect the staff to translate technical documents or abstract scenarios and relate them to their daily job functions. Give learners the sort of hands-on training that goes beyond theory to the day-to-day, and work in the technology tools they use every day. This way, the training can relate to the real world, and build the sort of muscle memory they need to leverage those tools at work. This kind of real-world training helps learners build the kind of job skills that are useful and will help them take on more responsibility.
- Make team-building part of the training goals. Think of cybersecurity as a team effort that involves everyone in the organization, especially with short-staffed security departments amid the prevailing talent shortage. Make sure the training program emphasizes teamwork. Focus all team assignments on practical efforts that will demonstrate how to work in concert to maintain a safe enterprise environment.
- Don’t overspend time and effort. It takes a lot to build and maintain environments with virtual machines and technology tools for training. Outsourcing this function to someone who has the experience and expertise to build a best-in-class teaching environment and handle the setup and maintenance of the tools can save a lot of time and expense at a time when both are at a premium for most enterprises. Don’t burden the staff with hardware and software maintenance when what they really need is cybersecurity training.
- Save investment for infrastructure at scale. Cybersecurity training tools can run into trouble when it comes to scaling up to meet the needs of the enterprise. If the company creates a dedicated training program, make sure tools can support learning at whatever scale the organization demands. Managers may need to shrink the class footprint to accommodate small groups, or deal with training classes or assessments that can include hundreds of employees. The plans need to be flexible in both class size and content.
- Plug in the automation. Instructors can get stuck dealing with housekeeping that does not add to learning, from handling assignments to marking classwork. It helps if the teaching tools in a program are designed to automate some of those repetitive administration tasks. A cybersecurity training program should have the kind of automated scoring and grading features that lets trainers look at the overall performance of each student and raise issues for follow-up.
- Streamline content design. Cybercrime evolves fast, and any security training in this area needs to keep up. Most class content has a short expiration date and needs frequent revision to stay current with new threats. The cost of creating original training content that keeps up with the times can add up to more than the price tag of maintaining hardware. Some training programs are forced to retool old exercises to keep down the costs, and wind up with content that is a pale reflection of the threats in the current landscape. A partnership with a trusted supplier that has its own threat analysts and can keep materials current can offer the flexibility of continuous updates and relevant information.
- Keep learners up on the latest threats. The threat landscape constantly evolves, complicating all the administrative and operational workloads that security trainers have to handle. Training programs need to offer hands-on learning in dealing with new threats and vulnerabilities, rather than merely read threat reports in class. Training and simulation exercises should offer students a chance to practice the skills they will need to face those incidents in the wild, giving them a chance to model how to identify, contain and remediate those threats for real.
- Get a hold of all training efforts. Open-source learning tools and free programs have their uses, but they are also limited. Cost advantages are often offset by offering little support or maintenance in setup and operation. Building a learning program from those components can look like a patchwork of solutions that undercuts the learning environment trainees need. Take control of the educational experience. It’s an investment worth making, especially if it results in a stronger security posture for the organization.
Like coaching a sports team, effective cybersecurity training requires the right equipment, managing multiple players, and keeping the budget in check. Stay in the game by following these eight recommendations.
Jeff Orloff, vice president of product management and technical services, RangeForce