How to Improve Adoption of Cybersecurity Training
Cyber-attacks continue to assail organizations of all kinds, with as many as 43% reporting more incidents than the year before, according to ISACA’s State of Cybersecurity 2022 Report. As organizations defend against more and more attacks, many have dialed up their training efforts to improve awareness and advance skills development internally. At Skillsoft, training consumption data shows an uptick in cloud security in particular. (Read more on that here.)
However, as security leaders and training professionals roll out programs, they often face a common set of challenges. Security training can feel like checking a box or too “doom and gloom.”
When this is the case, the consequences can include poor adoption, disengagement, or even erratic decision-making that doesn't support the goals security leaders set for training – which, first and foremost, is creating more secure infrastructure.
The good news?
Security training doesn’t have to feel like this.
We recently spoke with Adam Gwaltney, Cybersecurity Training Manager at T-Mobile, who is responsible for implementing security training across the organization for employees in storefronts, working at home or from a corporate office. He shared his approach to security training, challenges he has faced and how he overcomes those obstacles.
These tips will help security leaders and technical training professionals successfully deliver cybersecurity programs that align with your organization’s priorities and goals.
1. Set Clear Goals, Define Success for Your Security Training
In order to implement a successful training program, you must define what success looks like. In other words, what's the goal?
If there is a specific goal, such as fulfilling compliance requirements or building skills in a particular discipline, it provides a clearer path to deliver training that reaches the right audience in a purposeful way.
Training efforts that have vague goals can feel unorganized and difficult to measure. Many organizations focus their goals on building new skills, upskilling or reskilling, ongoing development, and lifelong learning. Having metrics readily available to monitor utilization, course completions, skills development and more can help demonstrate progress, influence planning, and eventually judge success.
Subscribe to the Skillsoft Blog
We will email when we make a new post in your interest area.
Thanks for signing up!
2. Personalize Your Security Training to Create a Lasting Impact
“Learning the audience as much as you can and as early as you can is key to successful training implementation,” Adam said. “What training looks like for someone on the technology side is going to look vastly different than training for someone people-facing like HR which is why having a content library that is relevant to a wide audience like Skillsoft is important.”
Tailoring the information to the audience depending on their role is crucial to making it as relevant as possible. If you want to affect lasting change, people need to see themselves in the training, not just hooded attackers. Therefore, messaging and content must be diverse and inclusive.
At T-Mobile, security training is delivered to people across the enterprise, including HR, finance, customer service, retail, and IT. The training across these departments is adapted to a professional's respective role because how they experience security risks often looks different.
A person at a call center or in a retail store may be more likely to experience social engineering schemes, whereas software engineers must focus on rooting out vulnerabilities in their programming. Because threats vary, the training must be adapted to have the greatest impact.
3. Time Is Often Against Us — Offering Variety Can Help
When it comes to challenges, Adam says time is often the leading factor to consider. Whether it’s trying to schedule training into the workday, ensuring it's completed by set deadlines, or demonstrating the importance, time is one of the largest issue at hand.
Security professionals listed workload and resource constraints among their top five biggest challenges at work, which means they're often short on time.
How Security Professionals Prefer to Train
Most tend to gravitate toward self-paced training. It affords them the opportunity to learn when it works for them. In the past year, less than half (42%) of security professionals took virtual, live instructor-led training, whereas 69% participated self-paced training, according to Skillsoft's 2022 IT Skills and Salary survey.
“Busy professionals need to balance work and studying,” wrote one respondent in the survey. “Self-paced helps you learn at your pace, at your speed level, giving you the ability to research and learn with many different resources.”
This isn't to say security professionals won't sit for in-person classes, but rather they need to complement their training with other resources. With this in mind, it helps to offer learners a variety of training options to meet them where they are.
It's most common for security professionals join webinars, read books or technical guides, and look to free online tools to supplement their learning. Ultimately, what’s most important for these professionals is the quality of the content and opportunities for hands-on practice.
4. Build Relationships with Stakeholders Across the Enterprise
Make a point to connect with internal stakeholders across departments to build relationships. Doing so will help bolster the impact training has.
"When I first started at T-Mobile, I tried to meet everyone in all these other departments to network and build relationships," Adam said. "There's not a fast way to do it, but the relationship is worth the time."
In doing so, you learn about what challenges each department has, what they need, and their impression of training. By developing these partnerships, it becomes easier to give and receive feedback, deliver training at optimal times, and align team goals with supportive training.
As Adam says, the time you invest in relationships pays off by:
- Improving communication
- Clarifying expectations
- Supporting training goals
Security Training Has Become Increasingly Important as Threats Affect Everyone
Nearly everyone and every organization has been impacted by cybersecurity attacks. Bad actors exploit vulnerabilities, stressed employees, and skills gaps. In fact, 80% of organizations say they’ve experienced cybersecurity breaches due to skills gaps, according to research by Fortinet. According to IBM’s 2022 Cost of a Data Breach report, 83% of organizations have had more than one data breach.
Bad actors can create a hyper-targeted attack that looks real just based off spending a few minutes on someone’s social media page. And they come at times when people least expect them. “Phishing attempts don’t come on Tuesday morning, they come late Friday afternoon when people have their guard down,” Adam says.
Frontline employees are often the first to notice the signs of an attempted data breach, whether it be a suspicious email or a mistake they made. Because of this, your employees are an essential defense against cyberthreats. The faster they report incidents to the IT department, the sooner those incidents can be addressed.
Through successful security training programs, you help employees identify red flags and prevent breaches. It’s critical to make sure employees understand the importance of security training and see themselves as playing a role in upholding the organization’s defenses.
Skillsoft can help you build an engaging cybersecurity training program that will benefit your organization. Our Cybersecurity Career Journey includes instructional variety to accelerate the on-the-job application of new skills through a fully integrated experience, including live, on-demand, and hands-on learning.