Debunking the Pretext

Answering the excuses that execs make when implementing security training

The Training team, at Security Compass, is constantly looking for ways to help our customers get the best rate of return on their investment with us. Whether it be role-based learning (courses carefully selected based on job function), or our SSP Suites (a partnership with (ISC)² that leads to a secure coding certificate), we are always seeking new ways to help our customers increase their employees’ adoption rate. Our newest initiative are these articles — a quarterly publication of proven techniques to assist you in getting your employees to utilize the training tools you have invested in.

It seems that every few weeks there is a new report of some organization or high-profile individual getting hacked and private information being leaked. The method of the data breach may vary, but in far too many instances, the leak could have been avoided with some basic education. Whether a Developer building software, or an average citizen with a cell phone, the importance of IT security training is impressed upon each of us again when each new report of personal information is made public.

If IT security training is so important in order to help defend against data breaches, why then, is it so challenging to implement a successful IT security corporate training program?

Sometimes the barrier to an effective corporate training program is not because employees do not want to take the training. Sometimes, the main issue is because executives do not fully recognize the need for the training program. In this installment of our quarterly Training Toolkit publication, we’re going to address a few of the reasons commonly cited for not implementing (or worse yet, for terminating) security training.

”It’s too expensive.”

This is typically the number 1 reason executives will cite when discussing why they cannot adopt a security training program. The problem with this argument, however, is that it is not accurate, all things considered. The old adage says “prevention is better than cure,” but as anyone who has experienced a data breach can attest to, prevention is also cheaper than cure. When one considers the costs associated with a breach — the cost to identify and fix the breach, the cost of rebuilding your organization’s public image, and the personal cost to your customers — the cost of training is quite affordable. According to the 2016 Cost of a Data Breach Study conducted by the Ponemon Institute, the average consolidated total cost of a data breach is a staggering $4 million USD. The study also reports that the average consolidated cost incurred for each lost or stolen record containing sensitive and confidential information is $158 USD.

While there are benefits of face-to-face training, eLearning courses tend to be cheaper as they do not incur the same overhead costs that in-person courses do. At Security Compass, our eLearning cost per employee starts at $20 and increases to a few hundred dollars per employee per year, depending on the type of training you are interested in. With our various discount bundles, the cost to train your entire staff is actually quite affordable.

“Employees don’t have time.”

Yes, employees are very busy. And yes, time is money. But, as noted above, investing in security training can potentially save your organization a lot of time and money in the long run. Building secure practices into your organization’s culture can help to ensure that security remains a priority for each employee, in every job function they perform. An easy way of doing this is to add completion of yearly security training as a part of each employee’s job description.

Too often deadlines are the driving force and security is forced to take a back-seat. Building security training into an employee’s job responsibilities helps put training back at the top of the list of priorities, shows employees and customers that this is something the organization takes seriously, and ensures that training gets completed.

Security Compass’s eLearning courses are modular, which means that each topic is packaged in bite-sized chunks that can be completed very quickly. What’s more, our courses allow employees to exit the training at any time, and return later to that same spot. This allows employees to take the courses at their own pace, whenever they have some free time. With the majority of our courses taking only around 60 minutes to complete, and thousands of happy employees commenting on how much they love both the content, and the modular approach of our courses, it is hard to make a case that your employees are too busy to take the courses.

To learn more about how to encourage your employees to complete security training, take a look at some recommendations we provided here during our last installment of the Training Toolkit.

Modular E-Learning Courses Make it Easy to Digest Information

“We already have training.”

Okay, so this argument and each of its variations, actually makes a lot of sense — but only on the surface.

“We are security conscious, which is why our employees completed security training just 12 months ago — so why should we pay for them to take security training again so soon?”

The simple answer is, “because you care about your customer’s security.” The more in-depth answer is that hackers are constantly upping their game — and so should you. New vulnerabilities are always being found and exploited. This means that there is always something new for the security conscious individual to learn. Your employees need to stay up to date with the newest security risks and learn how to protect against them.

“But aren’t they relearning the same content again?”

The best athletes and musicians go over the same basics multiple times, to gain muscle memory. Muscle memory is important, because it means that the activity you practised over and over again has finally become second nature. Your employees need to do the same, so that your organization becomes, and remains, the best at what you do. By constantly revisiting secure practises, these security principles will become second nature to your employees.

“But we are careful to hire people with a lot of experience and training. Isn’t that good enough?”

Here again, the answer is quite simple: “so did every other organization that has been hacked.” So often, very experienced developers take our training and realise that they learned something they didn’t know, or they were reminded of something they had forgotten about. This is why many registered professions, including Social Work, Occupational Therapy, Law, Medicine, Dentistry, and Accounting, require their members to stay current by completing a certain number of continuing education credits each year. Knowledge should be re-evaluated often, and knowledge gaps should be addressed by completing training on those particular areas.

“Why must we purchase so many different courses? Can’t we just purchase one?”

Unfortunately, one course won’t cover every possible eventuality. The course would be way too long, not to mention boring. Multiple job based courses are required, so that employees only take training applicable to their role — minimizing the overall cost of training to your organization and utilizing your employee’s time the most efficiently. Fortunately, Security Compass provides role based learning, which can be catered to your specific job roles and functions. Additionally, our courses allow your employees to skip the content they are already familiar with by simply passing a quiz. When they get a question wrong, which indicates a knowledge gap, they are pointed to the relevant part of the lesson so that they can brush up on that particular topic.

At Security Compass, we really care about information security. This is why we try to find a resolution for every concern executives present when it comes to implementing an IT security training program. While through our Advisory practice, we are able to help cure security issues as they arise, we would much rather help you prevent them from occurring in the first place.

If you would like further information about our courses, or would just like to share the barriers you face with your corporate training program, feel free to contact us at [email protected].