Knowing that you should be investing in cyber security training versus understanding how a training partner can deliver what your organisation needs, can be a challenge even for those working within training or cyber security. In this article we hope to give you some insight in to what we see as important and also how we go about building our training courses, whether they be public or bespoke to clients.
The overall objective of our cyber security training is to enable you to meet your business goals and add real value to the work needing to be done around cyber security. As a business we offer both pre-built courses and the ability to either tailor those to your organisation or build something completely bespoke. At a high level we work hard to ensure that every course we build and deliver improves the awareness of all staff of the importance of Cyber & Information security. Over time training will instil a “culture of security” into staff so that consideration of security becomes second nature, and the first filter through which staff view all that they do within their roles.
For many organisations cyber security training is not just about a general level of awareness, or to highlight risks to senior teams and managers, it must also, in terms of content and tone, align with the organisational values, vision, policies and processes, as well as any security frameworks that have been chosen to adhere to or are an industry or regulatory requirement. Whether they be ISO 27001, Cyber Essentials or those more specific to your sector such as DSPT or NIST, the training content (and also the knowledge of the trainer) must be able to relate back to them and also further support key security principles, policies and processes within the business. As an example, if you already have an Incident Response Plan in place the training content must be aligned to the procedures within this otherwise your response could be compromised when a cyber-attack occurs.
Content is king, or at least is a king-like counterpart to delivery.
We believe that the way training is delivered is a fundamental part of ensuring the goals you set for engaging with cyber security training are achieved. Each delivery method has its own benefits and limitations. The goals of engagement and scalability tend to be at odds – in person delivery allows for much more interactive training, exercises, questions, clarifications, group discussions etc. and also allows an experienced trainer to tailor delivery based on the audience in the room. This therefore creates better engagement, but scalability is limited due to the human resources required. Recorded/Computer based training is typically the opposite – more scalable, but less engaging and personalised and thus less effective. To ensure you strike the correct balance it is important to think objectively about who is going to be receiving the training and how best they learn.
As an example we would suggest that for employees in high-risk roles or where a greater degree of knowledge is required in order to support others (for example managers and team leaders) you would always aim to deliver in-person or in-person remotely. For all delivery by trainers using remote methods they would utilise key techniques from in-person training such as group discussions, breakout rooms and chat functions. Another key factor for consideration should be that the training is delivered by experienced consultants who work across a range of client businesses and industries. The value of this real world insight of such a fast moving range of threats is something that our consultants bring to every training session they deliver.
We believe that training delivery in an interactive and engaging format, making it relevant to both the delegate and the business, is central to ensuring the learning quickly embeds with the delegate and is taken back home and in to work. If it is seen as a tick box exercise, either in its planning, communication or delivery, and doesn’t challenge the delegate to be a part of the process, then we know through experience that realising your goals becomes an uphill struggle which erodes the investments you make.
When we build bespoke training for clients we develop a range of training content, encompassing best practices and security principles but also tailored to your business, if that is required, and delivery of content is always customised according to roles and responsibilities. The method and “tone” of delivery will be further tailored by target audience, to ensure maximum resonance. Sessions will be interactive with exercises to allow attendees to contextualise the information being provided, and to allow for attendees to ask questions and seek clarifications. Creating a sense of ownership of the training for your staff is something that requires open collaboration as we work together to build the most appropriate content for your organisation.
Businesses will always come up against the challenge of how best to achieve the balance of being pressured to deliver their work and take time away from staff to increase their security awareness, as it is often not seen as “my problem” – our hope is that by experiencing a discovery process whereby you will be able to answer these challenges we will all be able to better secure and protect our work and home lives. Training can be delivered to a schedule that allows for a balance of the goals of implementing the training program and ensuring that the business is not unduly disrupted.
For some organisations it may be that their cyber security training requirements are to ensure that all staff experience awareness training and that it is a part of the onboarding all new starters, repeated at regular intervals; and that all senior staff go through a more detailed training to enable them to play a role in leading the cyber security approach. Beyond this there may be very specific courses that the organisation brings in depending on what its needs are, such as when seeking an accreditation or understanding of an industry specific framework. For many businesses, especially those with large numbers of employees or who are deemed a high value target, there will be a need for training to be built as a bespoke solution and delivered more regularly to ensure that all relevant staff are as informed as they can be, creating a powerful line of defence.
It is paramount to us that when staff have experienced our training that they feel more informed and reassured when and how to act on what they perceive as a security threat, as we work more and more in a remote way and therefore have less people directly around us day to day, we must ensure that people experience no shame or blame when it comes to cyber security.