The year 2020 was all about the pandemic. It pushed security teams to the edge, required creative problem-solving skills, great teamwork and investment and optimization of security tools. The year 2020 also showed organizations how important security awareness is and helped them to discover why agile training, in particular, is required. It became clear that only those who have worked steadily over time and prepared themselves in advance coped successfully with the drastic changes throughout the year.
This is no small feat. Changing security architectures may be complex, but compared to changing culture and automated responses of employees it is simple. Now that things are returning to something resembling normal, organizations are ready to invest in this challenge. But what impact has the past year had on the types of training organizations will invest in?
Employee-Centric Training Programs
There is a huge difference between learning and training. I like to say, “Training happens when possible, learning happens when needed.” Training programs are usually focused on delivering content when it suits the organization, whether that means the manager, the trainer or a third-party platform. In contrast, people learn when they need it the most, immediately and in response to a problem. If the organization is lucky, then these two sets of circumstances align. But more often than not, they don’t.
The outcome is usually frustration – employees are given training when they don’t actually need it and have a hard time understanding the use case; in times of need, they don’t always recall the knowledge. Security managers see money down the drain with little impact on results. Employee-centric security changes all of that – it allows security teams to stop thinking like hackers or security professionals do and start being empathetic to their employees.
A security awareness training program should always start by assuming the point of view of the employee, from the program’s design to the content to the delivery itself. Some think that having well-designed content or neuroscience-driven training is sufficient, but the best training delivered to the wrong people or delivered at the wrong time renders it worthless. It’s like a good recipe – it’s not enough to have great ingredients, you need to know what to do with them. One can argue that a good recipe beats good equipment in creating a good meal; in security training this is somewhat similar. You need a good program attuned to your organization’s needs and to your employees more than you need slick, fancy training videos curated by Hollywood’s finest.
Managed Training Services
As security training becomes increasingly important, the lack of skilled manpower in this area is highlighted. Security training was traditionally led by security professionals with strong technical backgrounds and hacking skills. This, in part, led to the creation of content that was overly technical and was mostly interesting for other security pros or the more tech-savvy employees. In turn, this prevented security awareness training from being effective. As concepts from the fields of learning and development, psychology and neuroscience made their way into the field, security teams were reminded just how much knowledge they needed and how little they actually had.
The general skills shortage in cybersecurity is nothing new. However, as necessary security skills get more advanced and are in greater demand, it’s more difficult to train professionals in these areas. In short, security training programs are complex to run and require deep expertise, and with the growing skills shortage, a rise in demand for managed services, specifically in areas of security training, is likely.
However, unlike traditional managed services that outsource complete parts of the security process (for example, a remote security operations center (SOC)), in security awareness training, the goal is to have a person in the organization leading the effort, with the managed service serving as a trusted advisor or go-to infrastructure. This combination allows organizations to be employee-centric internally (as rightfully expected by employees) but still get the benefits and expertise of offloading program administration and operations to an external partner.
Remote work has become a new part of organizational culture; a shift that has impacted the threat landscape directly. As a result, organizations have changed their perception of security awareness training from a nice-to-have, to something that’s critical for cybersecurity and risk reduction. Employees are forced to make decisions by themselves while out of the office using their own home network. While they might feel more secure at home, this is usually a false sense of security, as they are often connecting to the organization’s network and adding to its risk.
Viewing security awareness training through the lens of a risk-oriented solution in a risk management framework, there is only one way to move the needle – focus on a program’s results versus what is invested in the program. This will drive vendors to generate and deliver more intelligent metrics. At the moment, many organizations focus on click rate, but this is a flawed metric that combines too many variables and is not indicative of actual progress (I elaborated on this point here). In contrast, organizations will start to focus more on risk-based metrics that are able to show how the risk mitigation capacity for the organization has changed through security awareness training.
This is not a simple task. While there are some good ways to measure phishing simulations over time, there’s much more to be done in other areas of security training. It is time, though, to stop measuring simply how many employees completed a CBT, unless, of course, this has any correlation to risk reduction.
Adaptive Content Management
The move to employee-centric training also means that training content has to reflect corporate language and topics. It means that employees have to feel the content provided was curated for them, and security teams need to find ways to make the content engaging. In phishing simulations, for example, this can be done through recurring data analysis that identify the best simulations for each department. But for general security awareness training, this method isn’t viable. Organizations that want to drive engagement will need to find a better way to prove to employees that the content is relevant for them. At the moment, this is a challenge. On one end of the spectrum, current offerings consist of off-the-shelf solutions that offer great scale and a wide range of training materials, but most, if not all, feel like something that has been seen before. The other end of the spectrum is highly customized training materials produced internally, or made specifically for the enterprise by an expert consultant. These are impossible to scale.
The move to employee-centric training would force organizations to adapt content to their organizational needs, industry-specific threats, current events or an influx of new hires, for example. Naturally, this would require some additional effort. The winning security vendors will be those that can offer a dynamic content system with all the speed and scale benefits of an off-the-shelf solution combined with the customization capabilities of proprietary adaptations.
Some of this is already happening, especially in areas like branding, where content is created to cater to a specific company and match the look and feel of the organization. However, this approach needs to expand to more content-specific areas where the content itself would need to be adaptive at its core, allowing organizations to change small segments to make the overall engagement rate higher, or meet organizational needs from geography to risk factors to experience levels.
A Leap Toward Empowerment
These trends won’t change the security awareness training landscape overnight. On the organizational side, these approaches may require adapting new methodologies and implementing best practices that infosec managers haven’t invested in before. Security awareness training vendors also need to push themselves to offer more efficient, data-driven solutions that would address the changing landscape. Together, those that cater to post-pandemic employee habits in a way that builds solid, lasting security practices and a new set of skills, will find that they fill an important role in empowering employees and truly reducing cybersecurity risk.