• United States



John Edwards
Contributing writer

How to choose the right security training provider for your team

Sep 03, 20207 mins
IT SkillsSecurity

When it comes to keeping your security team's skills sharp, there is no one-size-fits-all approach. Here's how to assess your needs and the ability of training services providers to meet them.

A woman speaks to a team at workstations. [presentation / briefing / training / instruction]
Credit: Gorodenkoff / Getty Images

Your enterprise’s security team is entrusted with a critical mission: protecting systems, resources and users from phishing, ransomware, denial-of-service attacks, data theft, malware infection and assorted other attacks. Staying on top of emerging and evolving threats requires constant vigilance and, most importantly, a well-trained team.

Having a dedicated security team is essential in these perilous times, observes Dimitrios Pavlakis, a security industry analyst at technology research firm ABI Research. “Investing in external consultants or managed security services is fine, but an internal IT security team that has the knowledge to handle the new emerging threat horizon is absolutely mandatory,” he says.

There’s no silver bullet when it comes to training security teams, notes Jason Jury, lead associate and cybersecurity learning and development manager at management and IT consulting firm Booz Allen Hamilton. “Before you begin your journey to find a training provider you need to inventory the existing skills, roles and proficiency levels of your staff,” he advises. “This will help you identify gaps in the business and allow you to strategically identify the expected learning outcomes.”

Cybersecurity training providers can play an important role in bringing employees up to speed on the latest threats and countermeasures. “Training services are invaluable,” says Edith Santos, director for global digital forensics incident response at telecom firm NTT. “They can mean the difference between being prepared or being completely unprepared to respond to an incident.”

In addition to education and instruction, a training provider can bring fresh insights and perspectives to security teams that have grown shortsighted and complacent over time. “A third-party that specializes in security training has collective knowledge gleaned from its client base,” explains Theresa Lanowitz, a former Gartner analyst, now head of evangelism at AT&T Cybersecurity. “This collective knowledge and resulting best practices allow a third party to help guide an enterprise with how to train, when to train, how to reward good behavior and how to discourage bad behavior,” she adds.

Before launching a training provider search, it’s important to fully identify and understand the security team’s precise needs and goals. “Once this baseline has been established, document the types of skills and certifications you would like to target with training,” Jury says. By creating a high-level overview of the security team’s current capabilities and future needs, it will become much easier to zero-in on training providers possessing a relevant background and experience.

Michelle Tran, a security and risk management research specialist at Info-Tech Research Group, advises limiting searches to training providers recommended or vetted by organizations associated with cybersecurity best practices. She recommends reaching out to the Center for Internet Security (CIS), the National Institute of Standards and Technology (NIST), the National Initiative for Cybersecurity Education (NICE) and the National Initiative for Cybersecurity Careers and Studies (NICCS) for leads.

Tran also suggests seeking provider recommendations from colleagues and business partners. “Not only will this save you time in short-listing vendors, but it can also provide you an external reference capable of speaking candidly about their experience,” she says.

Tran believes that a good reputation is the most important attribute to look for in a training provider. “At the end of the day, you’ll want to be assured that the content and knowledge being transferred to your team is being taught from a reputable and reliable source,” she explains. “This can mean delivering up-to-date content that follows recognized guidelines and standards, having experienced instructors with the technical expertise to deliver quality training and having approval from industry organizations.”

Security training models

Another important consideration when vetting providers is choosing the most appropriate training method for the individuals on your team. “For some, that’s online training, either licensed from a third party or self-produced,” Lanowitz says. “For others, it’s on-site classroom training.” 

Although the COVID-19 pandemic sidelined classroom training for many organizations, it’s likely that the approach will eventually return as a leading instructional method. An important benefit classroom training offers over other approaches, is fewer distractions. “In a physical classroom, it’s easier to shut everything out and focus,” Santos says. “There’s also more opportunity to have real-time discussions for brainstorming, sharing ideas,” she adds.

While classroom training remains off the menu for many enterprises, online training is gaining momentum. “Online training allows for more [trainees] to join in without the limitations of time zones and geolocation,” says Isaac Painter, Adobe’s security business operations lead. The approach also allows for more training to occur within a given timeframe by eliminating most set-up and travel requirements.

Adobe, Painter notes, is committed to taking online training in new directions. “We’ve been able to creatively find ways to have our employees engage with security training through gamification, bug bounties and capture-the-flag events,” he says. Painter believes that such practices encourage the firm’s employees to think differently as they showcase their expertise and unique skills.

Security symposiums, seminars and other events offered by various trade groups and businesses present a frequently overlooked staff training opportunity. “Events like SANS can be game changers for team members who are looking for additional sources of training,” Painter says.

Jury agrees. “To develop in your career, you need to make a commitment to step​ outside of your comfort zone and engage with a community separate from your company,” he explains. Many gatherings offer hands-on challenges or mission-based activities. “This provides an opportunity to test your skills to see how you rank with others in the industry,” Jury notes. Additionally, industry events give security team members a unique opportunity to network with colleagues at other enterprises, allowing them to share ideas and learn how other organizations have successfully implemented best security practices.

While formal instruction is essential, it’s also important to encourage team members to engage in some type of self-training. “Self-training is really where you can identify employees who are dedicated to their tradecraft,” observes Jon Check, senior director of cyber protection solutions at Raytheon Intelligence & Space. “To be a successful cyber practitioner, you must be a maniacal, continuous learner,” he states.

Check observes that it takes considerable discipline to complete a course when no one is watching, but employees who accomplish this feat are often the best performers. “How they train can vary, but we’ve found that employees who have their home network to practice and experiment on are often the most committed,” he notes.

Like a growing number of organizations, Raytheon I&S is turning to self-training tools incorporating artificial intelligence (AI). “The benefit that AI brings to our training is individually-adaptive training in real time,” Check says. “[AI] can also be used to bring the most appropriate type of coaching to each student by tracking their response patterns and bringing them the right types of materials—a video, text prompt or an interactive session with a coach—to work through a challenge.”

Finding the right fit

Security training should never be viewed as a one-size-fits-all, pre-packaged solution. Multiple factors should influence a training program’s structure and content, including the enterprise’s size, scope and threat model, as well as the security team’s current skill level. “What might work for one enterprise, may not work for another due to size, budget or depth of their security teams,” Painter explains.

Tran believes that the easiest and quickest way to bring comprehensive security instruction to staff members at various skill levels is by adopting a set of common guidelines. She suggests the NICE Cybersecurity Workforce Framework, a cybersecurity training and education model developed by government, academic and private sector experts. “Based on my personal experience, I have found an increasing number of organizations incorporating such a framework into their hiring and employee development efforts,” Tran says.

Meanwhile, Pavlakis urges leaders not to waste time worrying about burdening staff with security instructions that may not be directly relevant to their current tasks. “One can never have too much cybersecurity knowledge, as far as I’m concerned,” he says.