7 things to look for in a security awareness training provider

Not all cybersecurity awareness training vendors are the same or are right for your organization. Here's how to find the best match.

A cybersecurity abstract overlays a hand taking notes. [cybersecurity training]
Igor Kutyaev / Getty Images

In an era when a single misguided keystroke can endanger an entire enterprise, employee security training isn't just a good idea—it's a necessity. While it's well known that employees are often the weakest link in the cybersecurity chain, it's far less recognized that a properly trained staff can actually serve as the first line of defense.

The secret to transforming everyday employees into cybersecurity watchdogs is comprehensive training. While many enterprises rely on internal training teams, others are turning to outside vendors for assistance, realizing that the threat landscape is evolving so rapidly that it's best to place training into the hands of experts who are dedicated to staying on top of new and evolving trends.

The challenge when searching for a training provider lies in finding an organization that's competent, reliable and affordable. To help you in your quest, here are the seven key attributes you need to look for in a cybersecurity training provider.

1. Compatibility with enterprise security principles

Finding a provider that matches your organization's security needs, policies and goals is essential to achieve long-term training success, says Charlie Lewis, an expert associate partner at management consulting firm McKinsey and Company. Before approaching a vendor, it's necessary to conduct some enterprise introspection. "When you’re building out a new training product or service, it’s got to be a part of a successful cyber culture, cyber awareness and change management program," he explains. "These three factors lead to successful integration and successful service or product selection."

Reaching an internal consensus is the best way to ensure a solid provider match, advises Lewis, a former assistant professor of American politics at the United States Military Academy who also developed the Army’s cyber leadership education programs. "[Working] with front-line employees and business leaders to see if a particular program meets their interests helps to ensure that the right tool is selected," he says.

2. The ability to engage

Training has to be relevant to your organization and its specific needs as well as to the people who will be trained, says Jo Stewart-Rattray, CSO at Silver Chain Group, an Australian in-home health and senior care services provider. Training is less effective when it's generic in nature, she notes. "There also has to be some tailoring to the organization and its preferred learning modalities," adds Stewart-Rattray, who's also the founding chair of the Women's Leadership Advisory Council at ISACA, an international professional association focused on IT governance.

A one-size-fits-all training approach is rarely successful. Understanding the audience's competency level is necessary to provide effective, focused training, observes Dan Callahan, cyber training director at business consulting firm Capgemini North America. "Some training is too remedial and is driven by overly simplistic content that misses the need of the role and the cyber skillset required," he states. "Being timely, relevant to current events, and relevant to the business culture of the enterprise is vital.

3. The ability to deliver targeted content

Regardless of how it's presented, training needs to be meaningful to its target audience. "For example, the approach [applied] to internal employees and executives may be different than the approach to contractors or third-party vendors," explains Sharon Chand, risk and financial advisory principal in Deloitte's cyber and strategic risk unit. Meanwhile, the approach used to train a privileged-access IT staffer will be far different than the training provided to an operational technology employee working in an oil field. "We’ve found that customizing training content for unique audiences increases effectiveness considerably," she says.

To determine content value, nothing is better than a hands-on evaluation, says Greg Touhill, former CISO for the US government, now president of cybersecurity firm AppGate Federal and an adjunct faculty member at Carnegie Mellon University's Heinz College of Information Systems and Public Policy. "I really like the test-drive approach where the selection committee has random employees take the contender's training programs for a test drive to assess their capabilities against requirements," he says.

4. Sufficient scope to meet the needs of a diverse workforce

Large enterprises with workforces scattered across regions or continents generally face a greater range of localized threats than smaller organizations with employees located in a concentrated area. Touhill says he keeps an eye open for training tools that will be to be relevant to his entire team in terms of attack prevention and usability regardless of physical location. "We have employees in many countries whose primary language isn't English," he notes. "Because of that, I look for capabilities that are offered in the language of my employees.

5. Threat modeling integration availability

Most enterprises use some form of threat modeling to identify, prioritize and address cyber-dangers. Touhill advises using a training product or service that takes advantage of threat modeling to make informed decisions on training requirements and security actions. "For example, if I know that I have a particular nation-state actor or cybercriminal group actively seeking my intellectual property, I want my training program to help my team know how to appropriately address that threat."

Threat modeling is often viewed as a purely technical pursuit, but the model should also incorporate business interests. "It's important to identify the types of information you want an enterprise audience to consider ... since in many cases insider threats are the biggest concerns," Callahan says. "Good cyber awareness training can help prevent and mitigate most of these threats."

Lewis agrees that it's necessary to understand how cyber-threats directly influence business staff security training. "Threat modeling is a key component of any successful awareness program tool selection implementation," he states.

6. Appropriate, competitive pricing

Touhill advises consulting with peers to determine if a provider is quoting a competitive price. "The CISO community is unparalleled in its sharing of best practices," he says. "Chances are excellent that reaching out to other CISOs will help you quickly identify contender courses of action you can evaluate."

Beware of providers that attempt to over-sell products or services. "Many enterprises are now overloaded with training content and events," Callahan says. "If too much content or information is pushed out to employees they will overload, causing them to become numb to the intent behind the training," he warns.

7. An ability to provide effective training

"Ecosystem globalization, driven by business expansion, cloud computing, artificial intelligence, machine learning, mobility and connected devices, provides a greater attack surface for adversaries to exploit," Chand notes. Effective training provides the best way to address these challenges.

To evaluate the potential effectiveness of a particular training product or service, Stewart-Rattray suggests bringing key stakeholders, including HR and other relevant department heads, into the decision-making process. "When evaluating the potential effectiveness of a product, it is important to use cross-functional collaboration and ensure that key stakeholders are involved in the decision-making process as well as in potentially piloting a product where it is possible to do so," she advises.

Lewis believes that a proof-of-concept (PoC) trial is an excellent way to determine a training technology's real-world effectiveness. "You could start seeing improved training outcomes over time, including increased completion rates," he says. "You'll want to measure this metric over the entire proof-of-concept period, as well as continuing forward, so you can continuously evaluate the product."

If a product or service isn't meeting expectations, let the vendor know. "If that tool is not actually reducing the phishing click through rates or reducing the risk due to human error or human behavior, work with that organization to adjust or shift gears," Lewis recommends. If all else fails, begin looking for another vendor.

Ensuring that a training approach remains effective over time is an open-ended task. Constant attention is necessary to ensure that a deployed product or service is still getting the job done. "An obvious approach most security leaders are aware of is internal phishing testing," Callahan says. Another popular technique is dropping in on employees to spot-check their desktops to see if critical information is openly available or viewable.

Takeaway

Even the most thorough security awareness training planning has its limits. There is no perfect training approach or technology. "To truly change behavior, organizations need to go beyond 'check the box' security training and awareness activity," Chand says. "While it starts with leaders, a security-aware culture must resonate with all employees and echo into the organization ecosystem," she notes.

Copyright © 2020 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.