Regulations and Standards Demand Robust Training
When we talk about security training, we tend to think of regulations and compliance. In other words, we have to take security training because there are legal or audit requirements that demand it. A couple of examples should suffice to make the point:
NIST 800-53 (Section 3.2 Awareness and Training)
Here, NIST outlines the essential policies and procedures for security awareness and role-specific training. The scope includes usage, detection, and best practices.
ISO 27002 (7.2.2 Information security awareness, education and training)
This standard clearly states that “All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.”
So your organization needs to comply with security training. Your next question is probably “Where do I start?” There are so many options to choose from. We recommend a three-step process:
- Assess your current needs – At this stage, you start to develop a basic notion of where you need to allocate investments for training. For example, if you are just starting out with security, you should consider security awareness training. If you are a more mature organization, you’d consider more advanced forms of training, like secure coding or threat modeling.
- Select the right courses – Your program’s courses should be logically connected and have clear objectives. That is, there should be some sense of continuity between the courses. At this stage, you should also clarify how the courses will help you meet your training objectives.
- Track the effectiveness – Training should ultimately lead to improvements in company performance. For example, do your managers or developers believe they are growing in their security knowledge? Is there evidence that there are fewer security defects in production
Now we will explore each stage in a little more detail.
Step 1: Assess Your Current Needs
It is always helpful to understand where you are before making an investment. Otherwise, you might end up spending too much or too little. If you need a starting point, consider areas that NIST has already identified (see NIST 800-181 Workforce Framework for Cybersecurity). You don’t have to train in all areas, just the ones which are reasonably achievable and map to your business priorities.
As you assess your current needs, consider two key questions:
What type of security training do I need?
Should your security training be in a virtual classroom, self paced, or some type of hybrid? How will your learners feel about the type of training? Meeting your learners at their point of need is critical. Everyone learns differently and you should consider the right modality.
What is the purpose of my security training?
Some security courses are intended for knowledge retention while others focus on higher-order thinking that involves deeper analysis and recommendations. There are many learning frameworks available but, for the sake of brevity, let us consider how Bloom’s taxonomy might be used.
Using this model, we identify high-level objectives for a course. For example, a relatively inexperienced team should focus on security knowledge, comprehension, and application. Your developers might benefit from security awareness, and code samples can provide a bridge with application to their daily work. Over time, you can start building toward analysis and synthesis (with security architecture, secure design, and so on) while they retain the previous training. This way, your security training program will grow methodically with clear objectives and outcomes.
Step 2: Select the Right Courses
There are many security courses to choose from, but which ones make sense? We recommend you consider four requirements before you make your decision.
Requirement 1: Certification
Security certification ensures that the learner has achieved a certain level of understanding and comprehension. Holding a certification implies a certain threshold of knowledge. It also quickly enables your team to speak a common security vocabulary across a certification stream.
Requirement 2: Third-party objective measurement of quality
Each security training course will undoubtedly claim to be the best course for you so look for an objective third-party assessment of the course. Has the course been approved by a recognized leader in security? In many cases, this can tie into your requirement for security certification.
Requirement 3: Recency of content
Security is a dynamic environment. New threats and technologies emerge continually. The courses you select should be based on the latest threats and technology stacks. This narrows the gap between training and application of the material in day-to-day work.
Requirement 4: Integration with a LMS
As you continue to scale your security training program, you will have to track progress. Initially you may find a spreadsheet to be sufficient. But as you scale, and particularly when auditing requirements become increasingly stringent, you will need to add additional metadata about your learners, their interests, time spent on courses, and so on. Scaling these tasks in a spreadsheet quickly becomes unsustainable.
Step 3: Track the Effectiveness
Once you’ve initiated your training program and learners are taking courses, track the effectiveness. There are two ways to achieve this:
Survey your learners
Regularly survey your learners to see whether they find the security training useful. Ideally, you want to survey them during the course or shortly after the course is complete.
Track the number of vulnerabilities
Ultimately, the goal of security training is to reduce the security risk to your organization. By monitoring the number of vulnerabilities in production, you can determine if the number has decreased since the training began.
Security Compass Training Courses
Security Compass offers several training courses that are ISC(2) certified. You can be confident about the course quality, and use them toward a certification program for your learners. Our training content is regularly updated based on the release of new technologies.
Our consultants are available to help you select the right courses based on your security program needs. We have helped many large and mid-sized organizations achieve their training and security competency objectives.
Building a sustainable security program takes careful thought and planning. As you assess your program, notice if the courses map to your objectives, and consider the people, process, and technology aspects. Upholding the level of quality and rigor demands that your security training courses be objectively assessed so that you have confidence in the material being taught. Finally, assess the effectiveness of your training program as it unfolds.
At Security Compass, our dedicated team of training consultants are prepared to help you realize your security program. Avoid the pitfalls of a poorly planned program that doesn’t scale or one that appears disconnected from the reality of daily work. Discover a better kind of cybersecurity training for your team.