I think the most cost-effective training for employees is the corporate culture. The corporate culture is created by the management, the board of directors, and the employees at the upper and lower levels. A good corporate culture can motivate employees. When a company’s superiors show excellent behavior, I believe that lower-level employees will imitate it.
Different enterprises may have different needs. Enterprises should customize practical and cost-effective training suitable for enterprises according to their own requirements. Online learning is a relatively low-cost method. Employees learn online through video teaching. Or companies can find outsourcing companies to train their employees, and ask the outsourcing companies to tailor training content and methods for the company to adapt to the company’s own needs.
Hi Yangyuan,
I appreciate you bringing up the reality that different enterprises may have different needs. I think the question that needs to be asked when determining how much a company should be spending on security awareness training is whether the losses prevented by awareness training are more than the cost of the awareness program. Security professionals are supposed to design and implement security programs that cost effectively mitigate risk; not completely prevent risk, but mitigate the risk. You will have losses, but your goal is to control the losses in a reasonable manner. You can use the return on investment equation (ROI) to see whether the benefits of security awareness training outweigh the costs.
Thats a unique perspective on customized training. Custom training content addresses an organization’s specific business challenges. it is a time-efficient way to close the gap between where your learners are and where they need to be. A custom blended learning program can help cater to a wide variety of learning styles. It maximizes the return on investment (ROI) through higher knowledge retention.
There is a misconception that training concerning security awareness will break the bank when in reality, cost of training is relatively low compared to other technology investments. If anything, I view awareness training as the most cost-effective network protection measure a company can take because it is an investment. However, if a company is indeed on a budget or it is a start-up with limited resources, I would recommend their IT security governance team making prioritization their major function. For example, they should determine priorities among the potential conflicting interests, budget setting, and resource allocation. Additionally, I would recommend using the free resources available from SANS and the U.S. Government. The SANS institute has several free security awareness resources, and has partnerships that provide programs and training at affordable cost to improve an organization’s state of security as well as online technical training courses. Another great resource is the “Federal Information Security Management Framework Recommended by the National Institute of Standards and Technology” that describes the risk management framework specified in FISMA which would be useful in implementing an IT security management plan; the benefit is that this framework is that it can be used as a guideline by any organization. Lastly, the Federal Trade Commission (FTC) offers a small business resource pack that covers a lot of security best practices ranging from managing vendors to handling ransomware free of cost.
Hi Elizabeth,
I agree with you and I believe the training will be one of the low-cost methods. As you said, companies or startups with limited budgets can use the free resources provided by SANS and the US government. It is very low-cost to train employees through online teaching. Although online teaching may not be so effective, it can improve efficiency by regularly testing and appraising employees.
Organizations now a days have a lot of cost-effective training options for their employees, Different methods such as classroom style training class, web sessions, security awareness websites, compliance dashboards etc. Various security training companies – government and private like CISA and SANS offer free online training and webinars which organizations can take advantage of.
Third party cloud-based security awareness training vendors have a licensed training and management portals which links to your organizations learning management systems and they can create their own training modules for their employees, This saves a lot of costs for companies as they follow a shared model.
Newsletters and emails are effective for organizations to communicate targeted organization-specific content to employees. Webinars and lunch-and-learns offer the ability for employees to interact with each other and the speaker in live situation, whether remote or in-person. Posters displayed in communal spaces provide visual awareness reminders and can be used to reinforce important cybersecurity training.
I would recommend professional institutions, colleges and professional affiliation such as (ASIS International, ISACA, High Technology Crime Investigation Association, Information Systems Security Association, CISA and SANS offer free online training, InfraGard, Temple University, etc.). Join to add values through educational training and certification programs tailored on Essential Security Education for industry and organization. Participation of these associations is a cost-effective way to get up the speed with current security trends and issues.
By complying and focusing on the security policies, and implementation of the organization. Understanding Security controls, Awareness of the risks, threats and vulnerabilities associated with negligence. Understanding the Costs needed to respond to attacks and fixing problems initiated by users. Help keep the organization’s robust security infrastructure from threats and vulnerabilities.
Yangyuan Lin says
I think the most cost-effective training for employees is the corporate culture. The corporate culture is created by the management, the board of directors, and the employees at the upper and lower levels. A good corporate culture can motivate employees. When a company’s superiors show excellent behavior, I believe that lower-level employees will imitate it.
Different enterprises may have different needs. Enterprises should customize practical and cost-effective training suitable for enterprises according to their own requirements. Online learning is a relatively low-cost method. Employees learn online through video teaching. Or companies can find outsourcing companies to train their employees, and ask the outsourcing companies to tailor training content and methods for the company to adapt to the company’s own needs.
Elizabeth Gutierrez says
Hi Yangyuan,
I appreciate you bringing up the reality that different enterprises may have different needs. I think the question that needs to be asked when determining how much a company should be spending on security awareness training is whether the losses prevented by awareness training are more than the cost of the awareness program. Security professionals are supposed to design and implement security programs that cost effectively mitigate risk; not completely prevent risk, but mitigate the risk. You will have losses, but your goal is to control the losses in a reasonable manner. You can use the return on investment equation (ROI) to see whether the benefits of security awareness training outweigh the costs.
Shubham Patil says
Yangyuan,
Thats a unique perspective on customized training. Custom training content addresses an organization’s specific business challenges. it is a time-efficient way to close the gap between where your learners are and where they need to be. A custom blended learning program can help cater to a wide variety of learning styles. It maximizes the return on investment (ROI) through higher knowledge retention.
Elizabeth Gutierrez says
There is a misconception that training concerning security awareness will break the bank when in reality, cost of training is relatively low compared to other technology investments. If anything, I view awareness training as the most cost-effective network protection measure a company can take because it is an investment. However, if a company is indeed on a budget or it is a start-up with limited resources, I would recommend their IT security governance team making prioritization their major function. For example, they should determine priorities among the potential conflicting interests, budget setting, and resource allocation. Additionally, I would recommend using the free resources available from SANS and the U.S. Government. The SANS institute has several free security awareness resources, and has partnerships that provide programs and training at affordable cost to improve an organization’s state of security as well as online technical training courses. Another great resource is the “Federal Information Security Management Framework Recommended by the National Institute of Standards and Technology” that describes the risk management framework specified in FISMA which would be useful in implementing an IT security management plan; the benefit is that this framework is that it can be used as a guideline by any organization. Lastly, the Federal Trade Commission (FTC) offers a small business resource pack that covers a lot of security best practices ranging from managing vendors to handling ransomware free of cost.
Yangyuan Lin says
Hi Elizabeth,
I agree with you and I believe the training will be one of the low-cost methods. As you said, companies or startups with limited budgets can use the free resources provided by SANS and the US government. It is very low-cost to train employees through online teaching. Although online teaching may not be so effective, it can improve efficiency by regularly testing and appraising employees.
Shubham Patil says
Organizations now a days have a lot of cost-effective training options for their employees, Different methods such as classroom style training class, web sessions, security awareness websites, compliance dashboards etc. Various security training companies – government and private like CISA and SANS offer free online training and webinars which organizations can take advantage of.
Third party cloud-based security awareness training vendors have a licensed training and management portals which links to your organizations learning management systems and they can create their own training modules for their employees, This saves a lot of costs for companies as they follow a shared model.
Newsletters and emails are effective for organizations to communicate targeted organization-specific content to employees. Webinars and lunch-and-learns offer the ability for employees to interact with each other and the speaker in live situation, whether remote or in-person. Posters displayed in communal spaces provide visual awareness reminders and can be used to reinforce important cybersecurity training.
Oluwaseun Soyomokun says
I would recommend professional institutions, colleges and professional affiliation such as (ASIS International, ISACA, High Technology Crime Investigation Association, Information Systems Security Association, CISA and SANS offer free online training, InfraGard, Temple University, etc.). Join to add values through educational training and certification programs tailored on Essential Security Education for industry and organization. Participation of these associations is a cost-effective way to get up the speed with current security trends and issues.
By complying and focusing on the security policies, and implementation of the organization. Understanding Security controls, Awareness of the risks, threats and vulnerabilities associated with negligence. Understanding the Costs needed to respond to attacks and fixing problems initiated by users. Help keep the organization’s robust security infrastructure from threats and vulnerabilities.