All too often, in any business, we get caught up in simply getting stuff done. But a purely executional approach typically doesn’t benefit anyone, much less the organization you work for.

Employees are crunched for time, and often there’s a choice between stepping back and thinking critically about what you’re doing, or just getting it done. Tough choice.

However, there are more factors impacting employees’ learning and development initiatives other than lack of time. Compliance for one, will determine what an employee HAS to do in terms of training. Also, internal mandates and key performance indicators will factor into the training an employee receives as a condition of employment and/or advancement.

So now consider security and how you would roll out a security training program at your organization. Where do you start? Who do you train? Can you all of sudden influence behavior with a mandate stating “every employee needs to care about security?” Nope.

Then, take a look at your organization. There are naturally many roles, and most either don’t understand security conceptually or don’t have anything to do with security. So then you have to ask, “How can we get them to understand? What will our process be? Is there curriculum that maps to specific roles?” If I require all employees to attend a live training session, will that solve my problem? Nope. A one and done session will prove ineffective.

Develop a Program to Match your Goals
So what on earth do you do? If I’m a C-level exec, I want my non-technical employees to understand security, and I want my technical folks to be trained on the more technical aspects of security. Digging deeper, you then want your software developers prioritizing security in the apps they are creating, but this falls in line with training technical folks.

There are a few key concepts to consider when implementing a training program. First, organizations should consider what their goals are with respect to training employees. From there, it’s critical to design a “program” as opposed to a flash in the pan course, booklet or guide. A program might include instructor-led training or computer-based training, or a combination of both. It just has to map to the objective the organization wants to achieve with training.

Culture change vs. Meeting Compliance Requirements
If an organization wants to meet compliance requirements, the minimal amount of training will probably suffice. This is not bad thing, because most compliance requirements in IT Security, like PCI DSS, are prescriptive and are based on best practices. So they are meant to serve as baseline standards for protecting information. When there is a training requirement, and you can fulfill it with the implementation of a computer-based training course, good. But not necessarily great.

If an organization is dedicated to affecting culture change to make the organization more security-conscious in the less technical ranks while improving security know-how among more technical employees, the effort has to be pervasive. That means security training has to extend beyond a statement of policies to a new hire and the annual training. That means everyone has to have a role, from management to admin staff.

But it also means that the process you choose to meet your security training goals needs support organizationally. This is where developing a program that corresponds to roles, retention, topics and adoption has to be formed.

The notion of a program can impact whether a company actually improves its overall security or not – this can mean prevention of security incidents which could mean saving money. It could also cut down on employees doing dumb things as often or frequently, like clicking on a phishing email. But it could also mean that technical employees, like developers for example, with the right training for their skillset, will start implementing security practices when they write

Combining ILT and CBT: A Programmatic Approach
There’s a myriad of learning methods for employees. Instructor-led training provides an opportunity for employees to learn together and interact, but sometimes it’s limited to location. Computer-based training is a more scalable fit, particularly for large organizations, because it can roll out to an existing LMS, or the provider can usually host the courses.

Instructors can typically provide the highest level of interactivity for those being trained, so one way to delineate between an instructor-led session and a computer-based session is to look at: the topical relevance, the criticality to the organization to improve on that particular topic/skill and potentially the physical location for where training might take place.

Computer-based training can satisfy training compliance requirements by enabling all users/students to take the same course/set of courses. Organizations who want to build technical competence are more likely to do so in implementing computer-based training because the material is normally more digestible, and consistent.

Combining instructor-led training for core topical and skill areas with computer-based training to address areas where you want consistent content delivered is a best practice organizations should consider. This is a programmatic approach as opposed to an ad-hoc approach that likely won’t affect culture change or improved competencies.

In addition to both types of training, organizations should consider integrating materials that not only map to course content, but help extend the skills with an ‘in-practice’ approach that helps students as they are back on the job. Not only will this help justify the ROI of implementing a training program, it will map directly into the “getting it done” category of tasks that employees tend to focus on, improving productivity also.

Get the Newsletter

Every two weeks we'll send you our latest articles along with usable insights into the state of software security.