Identifying and matching organizational roles with the correct cyber security training content is critical, but it is also important to manage programs at every step to get maximum value from them. Program management means ensuring your training objectives match organizational roles, and following up training with practice runs and refreshers to keep specific skill sets sharp.
The following tips are essential for managing your cyber security training programs.
1. Practice Makes Perfect
Muscle memory is a term often used to describe the instinctual response to a stimulus or event. For instance, in the military, muscle memory is built up through battle drills and combat exercises. Exercises are also an effective cyber security practice to improve incident response. Team-based and organization-based exercises not only help develop muscle memory, they also they provide the opportunity to discover skills gap, missing processes, or conflicting priorities prior to an incident.
Exercises can vary in complexity and require different types of resource allocation depending on the business objectives. For example, cyber ranges are utilized to simulate real-world exploits against a virtual enterprise network. Cyber ranges typically require a significant investment in hardware and software. Training companies will offer hosted (as a service) options to make use of their sandbox environments.
Meanwhile, tabletop exercises (TTX) are more focused on exposing decision-makers (management and C-Suite) to real-life scenarios leveraging fewer physical resources. TTX objectives are less about finding an exact right answer to overcome an incident and more about exposure to a range of possibilities during a cyber-attack.
2. Clarity in Tasks and Requirements
One of the most significant factors to evaluate job performance/production is a clear understanding of individual roles and functions. This may seem like a simple exercise. However, as changes in technology and business requirements occur, people are often required to switch gears to cover different responsibilities. Eventually, positions and tasks can become misaligned, making training selection all the more difficult.
Coordinating training requirements throughout an entire team or organization presents additional and even more significant challenges. Training leaders find themselves asking:
- Where are my team’s training gaps?
- Which role should have X responsibility?
- Who is our expert on Y?
- If that person leaves, do we have coverage in case of emergency?
Goals for the cyber security and the information technology staff are often too broad: “Protect our networks so we don’t get hacked.” It’s important for decision-makers to take time to truly analyze and granularize goals to identify specific training requirements, priorities, and functional capabilities across their teams. You need to ask yourself, do you expect your staff to respond to a cyber security incident or should incident response be outsourced? The answer to that question drives the training priorities.
3. The ABCD’s of Training
Effective cyber security training requires hands-on application and a curriculum designed to help people accomplish specific objectives. In the instructional design field, objectives are often designed based on the ABCD model. Before investing in training, take time to review and understand the course objectives, as they are the core of the course.
A course objective, if well-written, should usually identify the following factors:
- Prerequisites that participants need to meet
- Skills staff should gain from the training curriculum
There’s no point in spending money on expensive training for security professionals – or any employees – if they aren’t set up for success after completing the course. Course documentation should plainly state how your organization and employees will benefit.
To learn more about cyber security training best practices, tune in now for our webinar, How to Invest Your 2017 Cyber Security Training Budget for Maximum ROI, or download our white paper on this topic, How to Invest Your Cyber Security Training for Maximum ROI.