You’ve weighed-up the pros and cons of in-house and outsourced security training, and now, it’s time to choose a third-party training vendor. Your choice of partner will have a far-reaching impact on the efficacy of your security training investment, so it’s essential to choose a vendor capable of rolling out an effective security training program.
To make the right choice, it’s important to ensure that your chosen vendor offers each of these crucial aspects of effective security training.
1) Computer-Based Training
Many security training vendors rely on classroom-based training, often requiring its participants to give up two to three days of their time to complete security courses. In a fast-paced work environment, this poses obvious problems. This style of training can be heavily disruptive, interrupting current projects and causing resentment amongst its participants.
With information learned in a relatively short period of time, the security knowledge developed by these courses can prove hard to maintain – with vendors often failing to provide opportunity to periodically brush-up on the information learned during the course.
Computer-based eLearning courses offer a more effective alternative, making it possible for organisations to:
- Future-proof security training, allowing for regular syllabus updates alongside changes to the security environment.
- Allow participants to engage with security training without disrupting their current workload.
- Easily track the efficacy of training; monitoring uptake, adherence and completion rates for each part of the security syllabus.
2) Industry Expertise
Proven security expertise is a fundamental criterion for choosing a third-party security vendor – but it isn’t the only expertise your organisation should be looking for.
Effective security training relies on an intimate understanding of the industry it’s being applied in, including its unique technologies, challenges and security threats. For organisations in the software industry, it’s essential to choose a partner that specialises in training secure application developers.
3) Role-Specific Training
It’s essential that your chosen vendor has the capability to tailor security training to the individual needs of your employees.
Within each industry, employees will regularly engage with a wide range of development languages, platforms and technologies. Some organisations take a broad brush approach to the problem, and inundate all employees with a barrage of irrelevant training – while others will neglect crucial aspects of security training, and cover only the most basic of topics.
It’s important to partner with a security vendor that accommodates the unique needs of employees in an engaging and relevant way, through the use of role specific security training. Training modules can be offered to different employees according to their role, allowing them to engage with training that’s guaranteed to be relevant and helpful.
4) A Centralised Repository of Security Knowledge
A secure culture can’t be developed overnight, and a single stand-alone security syllabus won’t be enough to significantly improve your organisation’s security. As with all types of learning and development, there’s a difference between understanding security, and being able to effectively apply it.
In order to get significant results from your security training investment, it’s essential to choose a vendor that offers some form of security information repository. This database of accessible security information makes it easy for employees to brush-up on their security knowledge, and allows them to effectively apply their knowledge whenever a real-world threat appears.
If a developer is concerned about a potential cross-site scripting vulnerability, they’ll be able to look for similar examples in their database, and choose a method of remediation that’s quick and effective.
5) Testing and Measuring Results
Many organisations struggle to roll out an effective security training program, and find themselves left with dissatisfied employees and expensive shelfware. In many cases, this stems from a lack of communication between security vendor and organisation, with neither party able to effectively communicate the value and efficacy of the security program. As a result, training doesn’t achieve a satisfactory outcome, and the security program is abandoned.
It’s essential that your chosen security vendor periodically tests the efficacy of their security syllabus. As well as testing the knowledge of participants with short end-of-module tests, and monitoring attendance and completion rates, it’s vital to demonstrate the outcomes of the training in terms of reduced vulnerabilities and remediation costs. Doing so makes it easy to communicate the value of security training, and allows executives and the C-suite to prioritise security education, awareness and further training.
To learn more about the crucial steps involved in rolling out an effective security training program, you can download our free eGuide below.
