So with anything we do, we want to make sure that our time is well spent and that we are not just going through the motions. We want to make sure we get some real value for our time, especially if this time is spent taking us away from our clients. And this time away from our clients is what makes us money. We have heard this time and time again from our clients – they know they need to address security and they know they need security training, but they can’t invest a whole day or even half day to do it. As security professionals, that’s our biggest challenge. How do we help our clients balance their time with the necessary training they need.
Here are some thoughts:
Plan Ahead – you can lose your effectiveness when training looks thrown together. That signifies that you didn’t take it seriously and therefore they should not take it seriously.
a. What are your training needs? Do you have regulatory training that needs to be worked in? How often does the training need to be updated? What other training do you assess that is vital to your organization’s mission?
b. What type of training do you want to do? Classroom or virtual or mix. While virtual training can be effectively, we also know that it is just as easy to click ahead to the end and take the short test and be done with it. Classroom training runs the risk of not being engaging. A mix might be the best solution. Additionally, you may get more impact with in person training for certain classes and other impact for virtual ones, like the use of videos. For some of the standard training classes, virtual might be the best. But for training you identify as critical, consider in person training. If you have a big organization, then you can plan several sessions to ensure everyone can make it.
c. Set up training standards and what the end-state is. Part of effective training is to ensure you are training to a specific standard. “At the end of this training you will be able to effectively recognize a phishing attack and notify security.” This is not only important for the individuals receiving the training, but also for the individual(s) planning the training.
d. Make an annual training calendar and publish it. Once you identify your needs and your platforms, map it out and then let everyone know.
Make Training Aids – death by PowerPoint is not the way to ensure training is sinking in. Briefings are necessary to help guide the training but mix it up. Have some handouts; use some real world examples, use movie clips such as this:
This can really be powerful to show the effectiveness of a social engineering attack. Add in what employee actions should be on this and you have an effective training class.
Training doesn’t have to be to a time-limit either. If you have an effective training aid or video then training could be a 5-10 minute class and still have the same impact. Granted, this doesn’t work for every class. For example, regulatory classes that cover specific standards are just going to have to work through it, but not all classes have to be this way. Look and be smart about what you are trying to accomplish.
Other things you can consider for training aids:
b. Case Studies
c. Security reminders on desks and in common areas
Involve Others – Delegate instruction to others within the organization and let them lead the training session. It’ll be important to ensure the training is prepared and rehearsed before they get up to present. Involving others allows them to also learn the material, or add their own subject matter expertise. And it could also unlock their creativity and you may be surprised with the type of training they develop.
Test your Training – An effective technique to reinforce training is to evaluate how much information was retained.. You can do this through a short test at the end of the session or to hold practical exercises. You can use role playing exercises as part of the training, though you should be careful not to embarrass employees in front of the rest of the class. You can also spot check employees after the training has completed to ensure the training was impactful.
Review and Make Changes – A key element for effective training is to review and evaluate it. Have employees provide feedback or answer an online survey. This will allow you to make changes or continue doing the same thing. Some training, especially statutory or regulatory training can be dry, but you still want to make it as effective as you can.
Make Training a Priority – Training is only effective if everyone understands the importance of it and makes it a priority. Ensure you have leadership support and attendance. If people see that training is only for the workforce but not for the leadership then you already are behind.