How to design the best cybersecurity training program for your enterprise
One of the best ways to retain your staff is to invest in their further education and what is now called upskilling. But corporate skills training often has a hard time getting the respect that it deserves. Training budgets tend to be the first ones to be cut in any economic downturn and often don't get fully funded even when the economy is improving. But training can also have a significant impact on an enterprise: it can increase the pool of available skills, help pave the way for a department to take on new challenges, improve morale and create a sense of purpose for workers.
There is an additional factor when it comes to cybersecurity: the number of unfilled infosec positions is enormous and presents an opportunity to bring in new talent to close the gap. Indeed.com shows more than 30,000 cybersecurity job openings, and LinkedIn has more than 77,000 openings in their databases. Plus, the gap is widening: according to the U.S. Bureau of Labor Statistics' Information Security Analyst's Outlook, cybersecurity jobs are among the fastest-growing career areas nationally, with a 31% growth rate through 2029.
ChatGPT training built for everyone
Let's look at how to determine the return on any training investment and how to design the right program that fits your particular needs.
The benefits of training
Before you can measure ROI, you first need to calculate how you will measure the benefits. There are three different kinds of metrics you can combine to use in your evaluation:
- Awareness metrics: How many people participated in the program, how many graduated or completed the training and where do they fit in the corporate organization chart? Does this meet or exceed your expectations?
- Adoption and retention metrics: Can you move the needle and measure some positive effects for your training efforts? Are there more certified security engineers as a result of your program? Did you retain the staff you expected, or did they find better opportunities at other companies?
- Business metrics: You need to tie the training to your actual business results, such as net gain in sales or profits. Is there more search traffic to your corporate home page? Or a faster breach response? Make sure you are clear on what business requirements are important in your evaluation.
One way to measure these benefits is to invest in a learning management system (LMS). This is a good choice if you will be developing many courses internally and want some consistency in how they are delivered — or if you're going to blend in-person and online instruction across the enterprise.
These tools have various features that can help you develop your online courseware, track student progress and set up discussion forums, tests and other supporting elements. A good place to start to vet these kinds of providers is in this 2019 review by PC Magazine, a list of 10 LMS vendors and a detailed feature comparison.
The costs of training
The cost to conduct a training program depends on the type of program you design (see below for the major training modalities available), the logistics of managing the trainers and the students, and how often the curriculum must change to meet changing cybersecurity circumstances.
Enterprises also need to compare the costs of training existing staff with the process of hiring new employees. Training is usually much less expensive, especially if someone on staff already knows a parallel technology and needs to brush up on something new.
Finally, is your program only going to train a particular department, or will it be offered across the entire corporate staff?
Several different ROI calculators can be adapted to compare costs and benefits. They can also help you understand details you may not have thought of including. Two of them are from eLearning Industry (more nuts and bolts) and iSpringSolutions (more academic).
Training modalities
Once you have an idea of the costs and benefits, there are four different general training modes.
1. You can use several free or inexpensive college-style online courseware providers, such as Coursera, EdX and Udacity. The advantage is that they have solid curriculums and pre-made cybersecurity offerings and are suitable for smaller budgets. The downside is that you are locked into these offerings. Even though some of these providers offer more hands-on or practical exercises, it may not be as much as you desire to prepare your staff for the actual working conditions.
2. You can use a vendor-backed certification program, such as those offered by Microsoft, VMware, Cisco and others. These have the same pros and cons as the collegiate courses, but they usually have more hands-on components since the vendors want you to learn how to use their particular products. However, your security product portfolio might involve multiple vendors, making this advantage moot.
3. You can choose one of the cybersecurity industry organizations that offer certifications. We will discuss in our next blog post the various providers and options here. Certificates are easy to vet but are "just one data point in evaluating the worthiness of a training program," says Tom Hart, the COO of Eliassen Group, a major IT staffing operation based in the Boston area. "It isn't where or how someone has been trained, but what they really retain and how they apply that knowledge to their job's daily responsibilities."
4. You can develop your courseware internally or combine some of the classes from the above providers along with your in-house instructors. This is probably the most expensive option, but if you have specific circumstances that the outside vendors don't cover, it may make sense. Justin Ferriman, a learning and collaboration consultant for Accenture, estimates that each hour of delivering a particular training class will take 100 hours to develop.
Also, if your corporate culture is more onsite-oriented, you will want to examine those industry providers that offer in-person training.
Phishing simulations & training
Sources
Tom Hart, COO of Eliassen Group
Information Security Analysts, U.S. Bureau of Labor Statistics
E-Learning ROI Made Easy, Justin Ferriman
The Best Online Course Platforms for Business, PC Magazine
In this Series
- How to design the best cybersecurity training program for your enterprise
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization