Each organization may have a different definition for ‘practical cost-effective training’ for its employees, however I would recommend either SANS.org and ISC2 if the organization can afford it.
If the organization has knowledgeable information security employees, it would be a good idea to have these individuals prepare classes / information sessions for others in the company, so that they can see directly how information security impacts the company.
Alternatively, there are free resources online that an organization can leverage to develop their own SETA program, tailored specifically to their own employees.
SANS.org and ISC2 are both well-renowned organizations for cybersecurity training. A couple of programs that I found to be affordable and reputable are Pluralsight and Cybrary. The online courses and video workshops provided within these programs make the cost worthwhile, and they give the best breakdowns of cybersecurity concepts to make it understandable for all employees.
Andrew,
I agree with you, practical cost effective training is different to a company like Walmart compared to a Mom and Pop shop. PluralSight and Cybrary has also great training that are low cost.
Hi Andrew,
I agree with you about companies creating their own courses for their employees to take. Because unqualified employees tend to reduce productivity, companies need to pay attention to employee training. By developing SETA programs that are part of an organization using free online resources so that employees can learn in a way that is most relevant to their job, current skill level, and development needs, you are not only improving employee skills, but also controlling training costs. Being overly critical of cost cutting cannot ignore the quality of learning and results.
The most cost-effective training for information security an organization can acquire would be to inventory potential employees interested in developing these skill sets, thereby investing resources internally and educating users at the same time. There is plenty of subscription-based, exceptionally affordable training such as Cybrary or PluralSight, which often offer enterprise packages. Another option would be to request as part of contractual agreements with outside security vendors that they provide training to internal employees. Continuous training is a reality for any security professional. It would be wise for any organization seeking to retain talent to utilize methods that grow its employee’s skillsets to bolster the business’s security posture with cutting-edge best practices.
I had to comment on your post! When I first arrived at my organization I sought out an mentor because I was being introduced to Risk Management Framework, but only had the general idea of Cybersecurity in mind. My mentor actually referred me to Cybrary as an easy resource to use to help study for Security + at the time and introduced me to other topics within Cybersecurity. Personally now I prefer to read or listen to audible because it’s much more convenient, but I thought it was a good resource to use at the time!
Cost effective training modules would be Pluralsight or Coursera as they offer enterprise packages at a fair price. To supplement the training modules, a good class training course for a week or two can help complement the training modules. The class training can be designed by the organizations security professionals and taught by someone with relative experience in the industry or by another outside party, but it would be more costly.
Hello Wilmer,
Those are the good platforms for the training. Also, the another thing to consider would be if those platforms can customize the training based on the industry (as an example Healthcare or Financial). As there would be different requirement for different industry and different position within the organization.
Wilmer,
A class training is a great idea for a low cost but still an efficient way. Employees within the firm can pass out surveys or/and quizzes to see how the employees did after the training. Another way is to assign employees readings and videos on YouTube.
An organization can find practical cost-effective training on some platforms like Skillsoft and Pluralsight. Some organizations may assign an internal HR or IT team to come up with designs and knowledge to list out all skills their employees must know to be productive and to follow company policy effectively. Those platforms allows the top management to monitor who completed the courses successfully in order to comply with company policy.
NIST.gov offers a number of resources for use by small and medium sized businesses. I would recommend that they review https://www.nist.gov/itl/smallbusinesscyber for a general overview of available content. From there, they can visit https://gcatoolkit.org/cyber-basics-for-small-businesses-training/ for additional training materials. While these pages are geared towards small and mid-sized businesses, the concepts can be applied to any organization.
Overall I think the most important part of this recommendation is to educate the business on cybersecurity standards and equip them to search for content on their own. Once conveyed, they can search and evaluate content, repackaging it into email newsletters, posters, and other low cost communications.
I think the NIST website would be a great cost-effective resource for companies to turn to. We’ve learned so much already how NIST plays a huge role in creating the standards that companies follow to secure their organizations. It makes total sense to go to them for additional resources when it comes to the topic of security training.
A cost effective training and awareness program would be eset.com. Set offers training programs ranging from 10 employees for 250$ to 100 employees for 1,650$. The program offers 60 and 90 minute online training courses with cybersecurity awareness training, phishing simulation, interactive sessions, role playing, quizzes and certification, plus more. They also offer a free trial for businesses.
After doing my research, some of the best cost-effective cybersecurity training programs seem to be Cybrary and Pluralsight. Cybrary is one of the top IT development platforms that consists of online tools and courses that help with teaching employees cybersecurity concepts. Pluralsight is also an online learning platform that provides a variety of courses for all different types of IT professionals as well as basic training for all employees. It seems that Cybrary is the cheaper, more cost-effective option of the two; however, both are highly reviewed as the top program for employee training
Hi Michael, I actually used Cybrary previously to learn some security material in the past and it was decent – for free content it is quite extensive and hard to complain about. It has many different trainings and the instructors are industry-leading professionals. There is better content out there if one wishes to pay for it, but this was great for free as an individual. The corporate packages seem to be fairly priced as well based on reading others’ reviews.
For cost-effective training, I would recommend online courses from Udemy and ITProTV. Udemy has a plethora of free and affordable courses in security for professional adults and students. ITProTV is an excellent entertaining website with a course library filled with virtual labs for audit, cyber, and other IT learning solutions for business and personal use.
For cost effective security training, employers can utilize a resource like LinkedIn Learning. LinkedIn Learning has over 16,000 courses that cover various topics, including but not limited to IT security. Their courses are very informative and some offer certifications upon completion. However, for something like this would most likely need to be supplemented with other methods, due to most of the training being short-medium length videos.
Ultimately it is up to the company to decide what is considered cost effective for them. There are numerous resources online that offer IT training in some form or another. It is the responsibility of the company to decide what ones will be best suited for them and the most cost effective. It would be best for each company to do their own research online and find the best one for them.
Most of the cyber security attacks are successful due to human error. Human behavior is one of the most vulnerable factors in most of the attacks. If the attacker fails to breach network security, then they go for an insider attack, and the success rate of such an attack is very high. It is extremely crucial and important to monitor and detect and to protect an organization from an insider attack. Keeping track of behavioral change in employees, and monitoring social networking sites for disgruntled employees can be helpful in preventing insider attacks.
Scheduling fake phishing and creating social engineering attack scenarios can be helpful in monitoring employee behavior and checking the response rate of how an employee behaves before, during and after an attack. This gives employers an exact idea about how the organization’s employees would behave in a real situation. This type of scenario testing can help in enhancing or redesigning security education training.
It is important to give priority to security training regularly, this not only helps improve the importance of security training education for each and every employee, but also can help employees recognize how human error can be detrimental to the organization.
I appreciate your point on phishing simulation testing. One of the most common ways hackers gain access to the network is via phishing, so it is vital employees know how to respond. Having policies in place are useless if your employees aren’t aware of the policy or how to act when they receive a phishing attack. Launching phishing simulation tests and making sure employees know where that “report phish” button is or how to inform the infosec team is key.
Hello Mohammed, while I agree with your point that it is essential to prioritize security training regularly, I beg to disagree that most cybersecurity attacks are successful because of human error. First, most of the attacks we see today are adversarial and not human error, i.e., ransomware and phishing attacks. It is, however, right to state that they are all human enabled in one way or the other. Secondly, phishing simulations, as mentioned above, are costly because the organization must pay millions to implement and subscribe for the service from the Vendor, unlike other available online open-source training.
Depends on the size of the organization and it’s goals. The general mom & pop shop could probably utilize places such as LinkedIn Learning that provide easy access to basics and fundamentals for cybersecurity. For larger organizations; or organizations pertaining to the Department of Defense I would suggest using NIST as a resource and begin reading into the special publications and material that they provide. NIST also provides several resources for small businesses as well. For individuals within organizations there are free sites such as Cybrary that offer easy to follow courses for someone trying to get their entry Security + Certification.
Hi Michael, I agree with you on this. LinkedIn Learning is an excellent resource! Government cybersecurity entities also have a lot of information/training at their disposal; sometimes state agencies too. Great assessment!
I agree with your statement, the type of training and the cost associated with it will depend on the organizations’ size and goals. Larger e-learning sites like LinkedIn learning or Udemy are great resources as you said to gain the fundamentals of cybersecurity, and then using publicly available resources like NIST and self-learning is a great cost-cutting measure.
The most cost-effective training for information security an organization can acquire would be through in-house roles and tool-based training facilitated by SMEs within the organization.
Secondly, plenty of online subscription-based, self-paced, or synchronous low-cost training platforms such as Cybrary.org. edureka.com and Coursera etc., exist with individual or enterprise packages that provide CPEs. Another option would be through relevant seminars and webinars from 3rd party training experts.
Due to the dynamic technology landscape, awareness and training are a must. Therefore, every organization should have a mature awareness and training program to ensure that employees are regularly trained and equipped to achieve company goals and objectives, particularly from a security perspective.
The most practical, cost-effective training and organization can be through in-house roles and tool-based training facilitated by SMEs.
Secondly, plenty of online self-paced or synchronous low-cost training platforms such as Cybrary.org. edureka.com and Coursera etc., exist with individual and enterprise packages that provide CPEs towards set out employee training requirements. Another option would be through relevant seminars and webinars from 3rd party training experts.
Due to the dynamic technology landscape, regular awareness and training are a must. Therefore, every organization should have a mature awareness and training program to ensure that employees are regularly trained and equipped to achieve company goals and objectives, particularly from a security perspective.
I agree that leveraging in-house roles can be a great way to provide security awareness training. I’ve seen “lunch and learns” used effectively at some companies. The security team would attend these sessions and present on a topic to the wider company.
Matt, this is such a great idea! Lunch and learns really captivate the importance of SETA materials, while finding an interactive, enticing way for users to learn. Great point.
I have seen organizations use this format in 2 dimensions – attendees pick up the cyber knowledge or awareness and the SMEs hone their skills in presenting and sharing complex areas like cyber-security. One organization required sr technical people to prepare and present internally at ‘Lunch and Learns’ as a requirement for promotion!
I would recommend an organization to be able to use its own internal IS team, CIO, and other executives to develop a cost-effective training system for its employees.
This would be my recommendation because a company’s top IS employees should already be well educated in the field and up-to-date with recent news and breach methodologies. No one employee could reasonably be responsible for knowing all this knowledge and teaching it to non-tech employees, but the overall team of IS employees should be. By developing a training program for all employees, IS workers will be able to approach the company’s policy from a different perspective and will begin to realize how non-tech employees think about and take in the policy and educational materials. In addition to these reasons, outside training and education sessions may be more boring than internally-developed training sessions, which would be wasting some money and decreasing retention by employees. The outside organization hired to teach the material also would not be as interested or intriguing as internal employees or executives.
With all of that being said, I think it is critical to have an outside technical/IS company review the company’s training policy and meet with top IS employees, because even though internal IS employees should be up to date with industry trends, they may not be. It is always good to get outside opinion and double-check your own policy, but the cost should at least equal the benefits. Outside organizations that i would recommend IS training of employees, or just review of training/IS policy, would be IBM, FireEye, Deloitte, and more. The specific companies i mentioned probably have the most broad/inclusive view of cybersecurity issues across all industries, and even though they may be more expensive than other companies, it would be worth it to have them review company policy and training strategy every once in a while (maybe once a year) to supplement internal IS employees knowledge and expertise.
By using the strategy outlined above, a company can implement IS training for its employees with the costs being its normal expenditure for its IS team employees and execs, plus the annual/semi-annual review of its policies by the experienced outside firms.
Having an outside IS company take a look at the training policy is a great idea, having that other/outside perspective could be critical in helping the company come up with the best policy possible
Where would you recommend an organization find practical cost-effective training for its employees?
Effectively choosing a method of employee training would probably require some more information about the goals and size of the business, while some options could still be suitable for one of any size. However, there should still be a mixture of training sources regardless of a chosen training program if outsourcing the training is the choice that is made. While some have already mentioned some major third party security training platforms that are commonly used, I would like to add INE to the list, as it provides some very effective free training that an organization of any size could use to generate a higher level of security understanding for all types of employees. INE also provides corporate training packages that are reasonably priced in comparison to its competitors. To add another layer and further develop awareness of security, I would also have an internal team still be performing assessments like phishing tests against all employees and enforcing follow-up training videos and a brief quiz for example for those who fell victim.
I agree with you that training should come from both internal and external sources. Training and awareness from internal sources will not always give the best results. Having a third party come in and spread a different voice can always add value to the employees and the company.
Well said, Corey; training should always be sourced internally and externally. However, in situations where SMEs exist within the organization or when the organization lacks the required skill set to facilitate role and tool-based training, the organization’s security need must be adequately addressed. Whether internal training would not give the best outcome is yet to be proved, even though it is always better to seek vendors’ approaches. Regardless, there are now so many budget-friendly avenues out there to access activities. The overall objective is security awareness and training to ensure that its employees are adequately protected.
Where would you recommend an organization find practical cost-effective training for its employees?
For cost-effective training, education, I would suggest online courses from Udemy and NIST has huge resourceful material free of charge and cheaper programs in security for professionals and students. who has no knowledge of studying IT .The company views training as a key component of employee retention, which is increasingly important as the wave of baby-boomer retirements begins to go on retirement.
It is absolutely essential to place more premium to security training regularly, this not only done to assist to employees to appreciate the value of security training education for every employee, However, it can help employees understanding how human error can have a serious impact to the organization
I believe that no expense should be spared in the effort of training end users and making them more aware of the best practices regarding IT security. “Measuring the effectiveness of various efforts can be costly and time consuming, but it must be done if you want to ensure that you are reaching your target audiences.” (SANS reading 2)
However, after reading some of my classmates’ posts I do agree that Udemy would be a great way to help educate everyone in the organization of IT security best practices.
Good point Joshua. Whatever the cost may be to train employees and making sure the best practices regarding IT security are utilized, if it is successful and everyone benefits from this training, then an accomplishment has been made and whatever the cost may be to help educate staff should not be an issue. However, if there is a cost-effective way to help train at an inexpensive price, and is just as beneficial, then by all means saving money by using a great resource such as Udemy is a good idea as well.
Hello Joshua, to add to your point, I also started my security career learning on platforms like Udemy, Edureka, Coursera, and Cybrary, and I see them as very useful. However, I want to add that they begin as open-source with no subscription requirements and later become pricy with aggressive marketing tactics. The beauty of online security training sources is obtaining certificates of completion which could also be used in resume building under the credentials and certifications paragraph.
I have have a friend who has downloaded some of Udemy’s material and copied it for me on a hard drive. For sure Udemy is goes in-depth with their course material. I never had access to the actual web site and COMPLETE course material. But the videos I’ve watched which is majority of the course material was very interesting. The professionals they have teaching these courses do an exceptional job. They talked about a lot of topics for the information security course, including the CIA triad and even penetration testing.
I agree with you Chris that it is very cost effective. & Olayinka I didn’t know they offered their own certificates that someone who has subscribed can add to their resume…. That’s pretty dope! That’s a good incentive for me to actually subscribe.
I would consider looking into your cyber insurance offerings, if any are available. Some big-name insurance companies such as AIG, Beazley, and Chubb offer free or reduced-cost employee phishing simulation awareness training, as well as other offerings.
If no options are available, I would recommend developing the trainings in-house or researching reduced-cost trainings. NIST provides a list of recommendations on their website (link below). It would be a good idea to see if any of the NIST-recommended companies specialize in your industry.
I think it is very smart idea to not only look into cyber insurance, but also what training programs different insurance companies offer. Cyber insurance is growing more and more necessary for even small-to-mid size firms, and any company having built-in or discounted IS training included in their package would have a considerable benefit over other insurance companies and/or policies that don’t. I did not think about looking into cyber insurance companies in regards to IS training before I read your post.
First, looking for external options, company should consider developing cross-training program where employees are arranged to shadow each other and develop new skills and techniques from their teammates. Also, mentoring would help to transform knowledge from top to bottom of the organization. These activities would put the team on the same page and avoid additional cost related to external resources.
As external learning, E-learning should be the option considered first. Considering that the whole world and businesses are transferring to online platforms during the COVID-19. It would be very smart to ensure that the trainings take place online. Instead of physical face-to-face training (snacks and drinks), online training can be offered at less cost. Videos and tasks can also be assigned offline to give flexibility to employees. This can be offered as a cost-saving option that adapts to the pattern of workers currently working online. Luckily, lots of platforms offer free or paid certification programs to ensure security training such as Udemy, Open University, Future Learn, Coursera, NextGenT.
There are many platforms which the companies can use to provide their employees security training. The few of the platforms are Proopoint, KnowBe4, Infosec, and/or LinkedIn Learning. It would be depended on the size of the organization and the requirements of the organization to determine the cost. If the company is big enough them, they could also design/create their own trainings for their employees.
My biggest suggestions for an organization to find cost effective training is 1. to build training in house with various professionals in the organization/internal auditors who are educated in NIST/ISO best practices, and (if in-house training is not an option) 2. Open education resources (OER’s). The federal/state government offers an array of tools for private organizations to promote cybersecurity. For example, in New Jersey, the New Jersey Office of Homeland Security and Preparedness (NJOHSP) offers free incident response and information security training through their website, virtual lectures, and in-person events. These training sessions are all free of charge, targeted to reach private sector companies that might not have the resources to orchestrate a SETA of their own, In addition, companies like Microsoft/Azure offer whitepages and other security awareness platforms for companies/individuals to educate themselves on,
Thanks for sharing Lauren. I too suggested using an existing resource within the organization and I agree with your point that it could also be spread across a number of organizational units, such internal audit and security, to help raise awareness and provide training to users on the importance of security. This could be a solid approach with the security side focusing on how the SETA program should be implemented while internal audit, with the help of perhaps a Business Continuity unit, could assess the systems and users who pose the most risk and who handle some of the organizations most critical data to ensure they are prioritized when it comes to security awareness and training.
Conducting trainings in-house is usually the most cost-effective way to go, but a barrier to that would be if the organization does not have the skilled employees to conduct/develop the trainings. This is usually the case for smaller organizations who end up outsourcing to third-party vendors. If we take the least flexible scenario where in-house training is not an option and the organization does not have enough employees or willing employees to build the necessary skills to train, then the next best option is to go to an outside source like SANS.org or ISC2 to gain the technical information security training.
It would be interesting to see an organization dedicate a current security minded resource, such as a security analyst, to provide training to the rest of the employees on behalf of the organization. This could be included in a weekly email communication that is sent to every employee within the organization or the security analyst could pre record a video which could be required for all existing employees to watch on a periodic basis. This may not be easily deployed for organizations with limited employee resources – however, I’d argue these same organizations most likely lack financial resources, especially when it comes to budgeting for security. Therefore, if a capable security minded person already exists within the organization I think it could be beneficial for an organization to have them dedicate just 5-10% of their daily job duties to educating the rest of the organization.
Where would you recommend an organization find practical cost-effective training for its employees?
No matter the size of the organization I would “recommend” they first try to accomplish this with their own IT/IS team. If possible, this not only cuts out the cost but its internal so those giving the training are more familiar with how the organization/business runs so the training will be more effective.
If this is not possible, there are several online resources that many of my classmates have already named. Dont want to beat a dead horse but NIST, Udemy, Linked In Learning, PluralSight are some great ones.
Where would you recommend an organization find practical cost-effective training for its employees?
The term cost effective does vary widely based on the security requirements of the situation or the organization. The US Govt or US Military spends considerably more than the local website creation and hosting organization – appropriately so! However, if someone is resource constrained then a plethora of resources are available from sites like youtube, LinkedIn, Coursera, AWS, Azure, NIST, SansInstitute etc. These materials range from free to small cost per viewing. The power of Google can not be understated when tackling a problem like this one!!
Identifying course content is only part of the equation, finding ways to get the employees to engage to truly learn and apply the material is the challenging part!
Hi Richard, “plethora” is the perfect term for the amount of resources anybody can utilize to search for security training. Youtube is a good mention for it being free to use and the countless amount of content anybody can find for training purposes.
To determine where an organization can find practical-cost effective employee training for its employees, one must really determine the size of the organization. Any large or medium sized organization should have its own IT Security team in place, or should be outsourcing one. The level of risk you expose yourself to grows with the size of your company, so making sure your employees are educated on security risks but be a main priority. If the organization is smaller, and doing what I previously said is not a possibility, there are many resources available. Management should spread awareness on the matter, encourage outside research, or implement some cheap methods such as training videos/quizzes..
Where would you recommend an organization find practical cost-effective training for its employees?
First, I would find out within the company what the business objectives and what the business needs to excel in. How many employees there are, and what level of knowledge. On the management level, management is more advanced than consultants. That case, the organization has to find a training that suits all employees. First, the organization can try a “blended approach.” An employee can learn from their coworker and read more about the training online. There are tons of videos and learning sites that employees can sign up for from little to no cost. An organization can assign a quiz after each training. Continuous training such as PluralSight and Cybrary is affordable for an organization. PluralSight provides a subscription for a year, involving courses for Information Technology Professionals. Additionally, Cybrary offers 300 video courses and tons of hands-on labs.
I don’t think finding practical, cost-effective training for employees is the same as lowering the quality of training. Unqualified employees tend to reduce productivity.
1. Online learning is an option. E-learning can increase efficiency and reduce costs.
2. A learning management system (LMS) that can organize the required content into each class session and track employee performance. There are several companies that offer SaaS (cloud-based) learning management systems.
If training content is compatible with mobile devices and easily accessible so that employees can learn in a way that is most relevant to their job, current skill level and development needs.You can also control costs while improving employee skills.
@Dan- NIST provides accountability is major way to ensuring security awareness in a cost effective manner. ccountability
One of the keys to a successful computer security program is security awareness and training. If employees are not informed of applicable organizational policies and procedures, they cannot be expected to act effectively to secure computer resources.
Both the dissemination and the enforcement of policy are critical issues that are implemented and strengthened through training programs. Employees cannot be expected to follow policies and procedures of which they are unaware. In addition, enforcing penalties may be difficult if users can claim ignorance when caught doing something wrong.
There are multiple companies which provide SaaS (cloud-based) Learning Management Systems. The big advantage is that while the learning content will be created by you and meet all your specific needs you will not need to worry about technology. It’s all taken care for you. It can cost you from few hundreds to few thousands per months just to use the software, however.
Use Reporting Tools: It’s an absolute must to define which courses and modules are necessary and useful.
On-the-job or hands-on training jumps straight to the practical skills necessary for the job. New hires begin working immediately with this training method. In some cases, it may be beneficial to incorporate an employee shadowing component. This will allow new hires to gain a little insight into the context and job requirements before trying it on their own.
Each organization may have a different definition for ‘practical cost-effective training’ for its employees, however I would recommend either SANS.org and ISC2 if the organization can afford it.
If the organization has knowledgeable information security employees, it would be a good idea to have these individuals prepare classes / information sessions for others in the company, so that they can see directly how information security impacts the company.
Alternatively, there are free resources online that an organization can leverage to develop their own SETA program, tailored specifically to their own employees.
Hello Andrew,
SANS.org and ISC2 are both well-renowned organizations for cybersecurity training. A couple of programs that I found to be affordable and reputable are Pluralsight and Cybrary. The online courses and video workshops provided within these programs make the cost worthwhile, and they give the best breakdowns of cybersecurity concepts to make it understandable for all employees.
Andrew,
I agree with you, practical cost effective training is different to a company like Walmart compared to a Mom and Pop shop. PluralSight and Cybrary has also great training that are low cost.
Hi Andrew,
I agree with you about companies creating their own courses for their employees to take. Because unqualified employees tend to reduce productivity, companies need to pay attention to employee training. By developing SETA programs that are part of an organization using free online resources so that employees can learn in a way that is most relevant to their job, current skill level, and development needs, you are not only improving employee skills, but also controlling training costs. Being overly critical of cost cutting cannot ignore the quality of learning and results.
The most cost-effective training for information security an organization can acquire would be to inventory potential employees interested in developing these skill sets, thereby investing resources internally and educating users at the same time. There is plenty of subscription-based, exceptionally affordable training such as Cybrary or PluralSight, which often offer enterprise packages. Another option would be to request as part of contractual agreements with outside security vendors that they provide training to internal employees. Continuous training is a reality for any security professional. It would be wise for any organization seeking to retain talent to utilize methods that grow its employee’s skillsets to bolster the business’s security posture with cutting-edge best practices.
Hey Kelly,
I had to comment on your post! When I first arrived at my organization I sought out an mentor because I was being introduced to Risk Management Framework, but only had the general idea of Cybersecurity in mind. My mentor actually referred me to Cybrary as an easy resource to use to help study for Security + at the time and introduced me to other topics within Cybersecurity. Personally now I prefer to read or listen to audible because it’s much more convenient, but I thought it was a good resource to use at the time!
Cost effective training modules would be Pluralsight or Coursera as they offer enterprise packages at a fair price. To supplement the training modules, a good class training course for a week or two can help complement the training modules. The class training can be designed by the organizations security professionals and taught by someone with relative experience in the industry or by another outside party, but it would be more costly.
Hello Wilmer,
Those are the good platforms for the training. Also, the another thing to consider would be if those platforms can customize the training based on the industry (as an example Healthcare or Financial). As there would be different requirement for different industry and different position within the organization.
Wilmer,
A class training is a great idea for a low cost but still an efficient way. Employees within the firm can pass out surveys or/and quizzes to see how the employees did after the training. Another way is to assign employees readings and videos on YouTube.
An organization can find practical cost-effective training on some platforms like Skillsoft and Pluralsight. Some organizations may assign an internal HR or IT team to come up with designs and knowledge to list out all skills their employees must know to be productive and to follow company policy effectively. Those platforms allows the top management to monitor who completed the courses successfully in order to comply with company policy.
NIST.gov offers a number of resources for use by small and medium sized businesses. I would recommend that they review https://www.nist.gov/itl/smallbusinesscyber for a general overview of available content. From there, they can visit https://gcatoolkit.org/cyber-basics-for-small-businesses-training/ for additional training materials. While these pages are geared towards small and mid-sized businesses, the concepts can be applied to any organization.
Overall I think the most important part of this recommendation is to educate the business on cybersecurity standards and equip them to search for content on their own. Once conveyed, they can search and evaluate content, repackaging it into email newsletters, posters, and other low cost communications.
Hi Matt,
I think the NIST website would be a great cost-effective resource for companies to turn to. We’ve learned so much already how NIST plays a huge role in creating the standards that companies follow to secure their organizations. It makes total sense to go to them for additional resources when it comes to the topic of security training.
A cost effective training and awareness program would be eset.com. Set offers training programs ranging from 10 employees for 250$ to 100 employees for 1,650$. The program offers 60 and 90 minute online training courses with cybersecurity awareness training, phishing simulation, interactive sessions, role playing, quizzes and certification, plus more. They also offer a free trial for businesses.
After doing my research, some of the best cost-effective cybersecurity training programs seem to be Cybrary and Pluralsight. Cybrary is one of the top IT development platforms that consists of online tools and courses that help with teaching employees cybersecurity concepts. Pluralsight is also an online learning platform that provides a variety of courses for all different types of IT professionals as well as basic training for all employees. It seems that Cybrary is the cheaper, more cost-effective option of the two; however, both are highly reviewed as the top program for employee training
Hi Michael, I actually used Cybrary previously to learn some security material in the past and it was decent – for free content it is quite extensive and hard to complain about. It has many different trainings and the instructors are industry-leading professionals. There is better content out there if one wishes to pay for it, but this was great for free as an individual. The corporate packages seem to be fairly priced as well based on reading others’ reviews.
For cost-effective training, I would recommend online courses from Udemy and ITProTV. Udemy has a plethora of free and affordable courses in security for professional adults and students. ITProTV is an excellent entertaining website with a course library filled with virtual labs for audit, cyber, and other IT learning solutions for business and personal use.
For cost effective security training, employers can utilize a resource like LinkedIn Learning. LinkedIn Learning has over 16,000 courses that cover various topics, including but not limited to IT security. Their courses are very informative and some offer certifications upon completion. However, for something like this would most likely need to be supplemented with other methods, due to most of the training being short-medium length videos.
Ultimately it is up to the company to decide what is considered cost effective for them. There are numerous resources online that offer IT training in some form or another. It is the responsibility of the company to decide what ones will be best suited for them and the most cost effective. It would be best for each company to do their own research online and find the best one for them.
Most of the cyber security attacks are successful due to human error. Human behavior is one of the most vulnerable factors in most of the attacks. If the attacker fails to breach network security, then they go for an insider attack, and the success rate of such an attack is very high. It is extremely crucial and important to monitor and detect and to protect an organization from an insider attack. Keeping track of behavioral change in employees, and monitoring social networking sites for disgruntled employees can be helpful in preventing insider attacks.
Scheduling fake phishing and creating social engineering attack scenarios can be helpful in monitoring employee behavior and checking the response rate of how an employee behaves before, during and after an attack. This gives employers an exact idea about how the organization’s employees would behave in a real situation. This type of scenario testing can help in enhancing or redesigning security education training.
It is important to give priority to security training regularly, this not only helps improve the importance of security training education for each and every employee, but also can help employees recognize how human error can be detrimental to the organization.
Hi Mohammed,
I appreciate your point on phishing simulation testing. One of the most common ways hackers gain access to the network is via phishing, so it is vital employees know how to respond. Having policies in place are useless if your employees aren’t aware of the policy or how to act when they receive a phishing attack. Launching phishing simulation tests and making sure employees know where that “report phish” button is or how to inform the infosec team is key.
Hello Mohammed, while I agree with your point that it is essential to prioritize security training regularly, I beg to disagree that most cybersecurity attacks are successful because of human error. First, most of the attacks we see today are adversarial and not human error, i.e., ransomware and phishing attacks. It is, however, right to state that they are all human enabled in one way or the other. Secondly, phishing simulations, as mentioned above, are costly because the organization must pay millions to implement and subscribe for the service from the Vendor, unlike other available online open-source training.
Depends on the size of the organization and it’s goals. The general mom & pop shop could probably utilize places such as LinkedIn Learning that provide easy access to basics and fundamentals for cybersecurity. For larger organizations; or organizations pertaining to the Department of Defense I would suggest using NIST as a resource and begin reading into the special publications and material that they provide. NIST also provides several resources for small businesses as well. For individuals within organizations there are free sites such as Cybrary that offer easy to follow courses for someone trying to get their entry Security + Certification.
Hi Michael, I agree with you on this. LinkedIn Learning is an excellent resource! Government cybersecurity entities also have a lot of information/training at their disposal; sometimes state agencies too. Great assessment!
Hi Michael,
I agree with your statement, the type of training and the cost associated with it will depend on the organizations’ size and goals. Larger e-learning sites like LinkedIn learning or Udemy are great resources as you said to gain the fundamentals of cybersecurity, and then using publicly available resources like NIST and self-learning is a great cost-cutting measure.
The most cost-effective training for information security an organization can acquire would be through in-house roles and tool-based training facilitated by SMEs within the organization.
Secondly, plenty of online subscription-based, self-paced, or synchronous low-cost training platforms such as Cybrary.org. edureka.com and Coursera etc., exist with individual or enterprise packages that provide CPEs. Another option would be through relevant seminars and webinars from 3rd party training experts.
Due to the dynamic technology landscape, awareness and training are a must. Therefore, every organization should have a mature awareness and training program to ensure that employees are regularly trained and equipped to achieve company goals and objectives, particularly from a security perspective.
The most practical, cost-effective training and organization can be through in-house roles and tool-based training facilitated by SMEs.
Secondly, plenty of online self-paced or synchronous low-cost training platforms such as Cybrary.org. edureka.com and Coursera etc., exist with individual and enterprise packages that provide CPEs towards set out employee training requirements. Another option would be through relevant seminars and webinars from 3rd party training experts.
Due to the dynamic technology landscape, regular awareness and training are a must. Therefore, every organization should have a mature awareness and training program to ensure that employees are regularly trained and equipped to achieve company goals and objectives, particularly from a security perspective.
I agree that leveraging in-house roles can be a great way to provide security awareness training. I’ve seen “lunch and learns” used effectively at some companies. The security team would attend these sessions and present on a topic to the wider company.
Matt, this is such a great idea! Lunch and learns really captivate the importance of SETA materials, while finding an interactive, enticing way for users to learn. Great point.
I have seen organizations use this format in 2 dimensions – attendees pick up the cyber knowledge or awareness and the SMEs hone their skills in presenting and sharing complex areas like cyber-security. One organization required sr technical people to prepare and present internally at ‘Lunch and Learns’ as a requirement for promotion!
I would recommend an organization to be able to use its own internal IS team, CIO, and other executives to develop a cost-effective training system for its employees.
This would be my recommendation because a company’s top IS employees should already be well educated in the field and up-to-date with recent news and breach methodologies. No one employee could reasonably be responsible for knowing all this knowledge and teaching it to non-tech employees, but the overall team of IS employees should be. By developing a training program for all employees, IS workers will be able to approach the company’s policy from a different perspective and will begin to realize how non-tech employees think about and take in the policy and educational materials. In addition to these reasons, outside training and education sessions may be more boring than internally-developed training sessions, which would be wasting some money and decreasing retention by employees. The outside organization hired to teach the material also would not be as interested or intriguing as internal employees or executives.
With all of that being said, I think it is critical to have an outside technical/IS company review the company’s training policy and meet with top IS employees, because even though internal IS employees should be up to date with industry trends, they may not be. It is always good to get outside opinion and double-check your own policy, but the cost should at least equal the benefits. Outside organizations that i would recommend IS training of employees, or just review of training/IS policy, would be IBM, FireEye, Deloitte, and more. The specific companies i mentioned probably have the most broad/inclusive view of cybersecurity issues across all industries, and even though they may be more expensive than other companies, it would be worth it to have them review company policy and training strategy every once in a while (maybe once a year) to supplement internal IS employees knowledge and expertise.
By using the strategy outlined above, a company can implement IS training for its employees with the costs being its normal expenditure for its IS team employees and execs, plus the annual/semi-annual review of its policies by the experienced outside firms.
Hi Michael,
Having an outside IS company take a look at the training policy is a great idea, having that other/outside perspective could be critical in helping the company come up with the best policy possible
Where would you recommend an organization find practical cost-effective training for its employees?
Effectively choosing a method of employee training would probably require some more information about the goals and size of the business, while some options could still be suitable for one of any size. However, there should still be a mixture of training sources regardless of a chosen training program if outsourcing the training is the choice that is made. While some have already mentioned some major third party security training platforms that are commonly used, I would like to add INE to the list, as it provides some very effective free training that an organization of any size could use to generate a higher level of security understanding for all types of employees. INE also provides corporate training packages that are reasonably priced in comparison to its competitors. To add another layer and further develop awareness of security, I would also have an internal team still be performing assessments like phishing tests against all employees and enforcing follow-up training videos and a brief quiz for example for those who fell victim.
Hi Antonio,
I agree with you that training should come from both internal and external sources. Training and awareness from internal sources will not always give the best results. Having a third party come in and spread a different voice can always add value to the employees and the company.
Well said, Corey; training should always be sourced internally and externally. However, in situations where SMEs exist within the organization or when the organization lacks the required skill set to facilitate role and tool-based training, the organization’s security need must be adequately addressed. Whether internal training would not give the best outcome is yet to be proved, even though it is always better to seek vendors’ approaches. Regardless, there are now so many budget-friendly avenues out there to access activities. The overall objective is security awareness and training to ensure that its employees are adequately protected.
Where would you recommend an organization find practical cost-effective training for its employees?
For cost-effective training, education, I would suggest online courses from Udemy and NIST has huge resourceful material free of charge and cheaper programs in security for professionals and students. who has no knowledge of studying IT .The company views training as a key component of employee retention, which is increasingly important as the wave of baby-boomer retirements begins to go on retirement.
It is absolutely essential to place more premium to security training regularly, this not only done to assist to employees to appreciate the value of security training education for every employee, However, it can help employees understanding how human error can have a serious impact to the organization
I believe that no expense should be spared in the effort of training end users and making them more aware of the best practices regarding IT security. “Measuring the effectiveness of various efforts can be costly and time consuming, but it must be done if you want to ensure that you are reaching your target audiences.” (SANS reading 2)
However, after reading some of my classmates’ posts I do agree that Udemy would be a great way to help educate everyone in the organization of IT security best practices.
Good point Joshua. Whatever the cost may be to train employees and making sure the best practices regarding IT security are utilized, if it is successful and everyone benefits from this training, then an accomplishment has been made and whatever the cost may be to help educate staff should not be an issue. However, if there is a cost-effective way to help train at an inexpensive price, and is just as beneficial, then by all means saving money by using a great resource such as Udemy is a good idea as well.
Hello Joshua, to add to your point, I also started my security career learning on platforms like Udemy, Edureka, Coursera, and Cybrary, and I see them as very useful. However, I want to add that they begin as open-source with no subscription requirements and later become pricy with aggressive marketing tactics. The beauty of online security training sources is obtaining certificates of completion which could also be used in resume building under the credentials and certifications paragraph.
Hey Chris and Olayinka,
I have have a friend who has downloaded some of Udemy’s material and copied it for me on a hard drive. For sure Udemy is goes in-depth with their course material. I never had access to the actual web site and COMPLETE course material. But the videos I’ve watched which is majority of the course material was very interesting. The professionals they have teaching these courses do an exceptional job. They talked about a lot of topics for the information security course, including the CIA triad and even penetration testing.
I agree with you Chris that it is very cost effective. & Olayinka I didn’t know they offered their own certificates that someone who has subscribed can add to their resume…. That’s pretty dope! That’s a good incentive for me to actually subscribe.
I would consider looking into your cyber insurance offerings, if any are available. Some big-name insurance companies such as AIG, Beazley, and Chubb offer free or reduced-cost employee phishing simulation awareness training, as well as other offerings.
If no options are available, I would recommend developing the trainings in-house or researching reduced-cost trainings. NIST provides a list of recommendations on their website (link below). It would be a good idea to see if any of the NIST-recommended companies specialize in your industry.
https://www.nist.gov/itl/applied-cybersecurity/nice/resources/online-learning-content
Madalyn,
I think it is very smart idea to not only look into cyber insurance, but also what training programs different insurance companies offer. Cyber insurance is growing more and more necessary for even small-to-mid size firms, and any company having built-in or discounted IS training included in their package would have a considerable benefit over other insurance companies and/or policies that don’t. I did not think about looking into cyber insurance companies in regards to IS training before I read your post.
-Mike
First, looking for external options, company should consider developing cross-training program where employees are arranged to shadow each other and develop new skills and techniques from their teammates. Also, mentoring would help to transform knowledge from top to bottom of the organization. These activities would put the team on the same page and avoid additional cost related to external resources.
As external learning, E-learning should be the option considered first. Considering that the whole world and businesses are transferring to online platforms during the COVID-19. It would be very smart to ensure that the trainings take place online. Instead of physical face-to-face training (snacks and drinks), online training can be offered at less cost. Videos and tasks can also be assigned offline to give flexibility to employees. This can be offered as a cost-saving option that adapts to the pattern of workers currently working online. Luckily, lots of platforms offer free or paid certification programs to ensure security training such as Udemy, Open University, Future Learn, Coursera, NextGenT.
There are many platforms which the companies can use to provide their employees security training. The few of the platforms are Proopoint, KnowBe4, Infosec, and/or LinkedIn Learning. It would be depended on the size of the organization and the requirements of the organization to determine the cost. If the company is big enough them, they could also design/create their own trainings for their employees.
My biggest suggestions for an organization to find cost effective training is 1. to build training in house with various professionals in the organization/internal auditors who are educated in NIST/ISO best practices, and (if in-house training is not an option) 2. Open education resources (OER’s). The federal/state government offers an array of tools for private organizations to promote cybersecurity. For example, in New Jersey, the New Jersey Office of Homeland Security and Preparedness (NJOHSP) offers free incident response and information security training through their website, virtual lectures, and in-person events. These training sessions are all free of charge, targeted to reach private sector companies that might not have the resources to orchestrate a SETA of their own, In addition, companies like Microsoft/Azure offer whitepages and other security awareness platforms for companies/individuals to educate themselves on,
Thanks for sharing Lauren. I too suggested using an existing resource within the organization and I agree with your point that it could also be spread across a number of organizational units, such internal audit and security, to help raise awareness and provide training to users on the importance of security. This could be a solid approach with the security side focusing on how the SETA program should be implemented while internal audit, with the help of perhaps a Business Continuity unit, could assess the systems and users who pose the most risk and who handle some of the organizations most critical data to ensure they are prioritized when it comes to security awareness and training.
Conducting trainings in-house is usually the most cost-effective way to go, but a barrier to that would be if the organization does not have the skilled employees to conduct/develop the trainings. This is usually the case for smaller organizations who end up outsourcing to third-party vendors. If we take the least flexible scenario where in-house training is not an option and the organization does not have enough employees or willing employees to build the necessary skills to train, then the next best option is to go to an outside source like SANS.org or ISC2 to gain the technical information security training.
It would be interesting to see an organization dedicate a current security minded resource, such as a security analyst, to provide training to the rest of the employees on behalf of the organization. This could be included in a weekly email communication that is sent to every employee within the organization or the security analyst could pre record a video which could be required for all existing employees to watch on a periodic basis. This may not be easily deployed for organizations with limited employee resources – however, I’d argue these same organizations most likely lack financial resources, especially when it comes to budgeting for security. Therefore, if a capable security minded person already exists within the organization I think it could be beneficial for an organization to have them dedicate just 5-10% of their daily job duties to educating the rest of the organization.
Where would you recommend an organization find practical cost-effective training for its employees?
No matter the size of the organization I would “recommend” they first try to accomplish this with their own IT/IS team. If possible, this not only cuts out the cost but its internal so those giving the training are more familiar with how the organization/business runs so the training will be more effective.
If this is not possible, there are several online resources that many of my classmates have already named. Dont want to beat a dead horse but NIST, Udemy, Linked In Learning, PluralSight are some great ones.
Where would you recommend an organization find practical cost-effective training for its employees?
The term cost effective does vary widely based on the security requirements of the situation or the organization. The US Govt or US Military spends considerably more than the local website creation and hosting organization – appropriately so! However, if someone is resource constrained then a plethora of resources are available from sites like youtube, LinkedIn, Coursera, AWS, Azure, NIST, SansInstitute etc. These materials range from free to small cost per viewing. The power of Google can not be understated when tackling a problem like this one!!
Identifying course content is only part of the equation, finding ways to get the employees to engage to truly learn and apply the material is the challenging part!
Hi Richard, “plethora” is the perfect term for the amount of resources anybody can utilize to search for security training. Youtube is a good mention for it being free to use and the countless amount of content anybody can find for training purposes.
To determine where an organization can find practical-cost effective employee training for its employees, one must really determine the size of the organization. Any large or medium sized organization should have its own IT Security team in place, or should be outsourcing one. The level of risk you expose yourself to grows with the size of your company, so making sure your employees are educated on security risks but be a main priority. If the organization is smaller, and doing what I previously said is not a possibility, there are many resources available. Management should spread awareness on the matter, encourage outside research, or implement some cheap methods such as training videos/quizzes..
Where would you recommend an organization find practical cost-effective training for its employees?
First, I would find out within the company what the business objectives and what the business needs to excel in. How many employees there are, and what level of knowledge. On the management level, management is more advanced than consultants. That case, the organization has to find a training that suits all employees. First, the organization can try a “blended approach.” An employee can learn from their coworker and read more about the training online. There are tons of videos and learning sites that employees can sign up for from little to no cost. An organization can assign a quiz after each training. Continuous training such as PluralSight and Cybrary is affordable for an organization. PluralSight provides a subscription for a year, involving courses for Information Technology Professionals. Additionally, Cybrary offers 300 video courses and tons of hands-on labs.
I would recommend some professional websites, such as knowbe4 because professional training institutions can train employees more effectively.
I don’t think finding practical, cost-effective training for employees is the same as lowering the quality of training. Unqualified employees tend to reduce productivity.
1. Online learning is an option. E-learning can increase efficiency and reduce costs.
2. A learning management system (LMS) that can organize the required content into each class session and track employee performance. There are several companies that offer SaaS (cloud-based) learning management systems.
If training content is compatible with mobile devices and easily accessible so that employees can learn in a way that is most relevant to their job, current skill level and development needs.You can also control costs while improving employee skills.
@Dan- NIST provides accountability is major way to ensuring security awareness in a cost effective manner. ccountability
One of the keys to a successful computer security program is security awareness and training. If employees are not informed of applicable organizational policies and procedures, they cannot be expected to act effectively to secure computer resources.
Both the dissemination and the enforcement of policy are critical issues that are implemented and strengthened through training programs. Employees cannot be expected to follow policies and procedures of which they are unaware. In addition, enforcing penalties may be difficult if users can claim ignorance when caught doing something wrong.
There are multiple companies which provide SaaS (cloud-based) Learning Management Systems. The big advantage is that while the learning content will be created by you and meet all your specific needs you will not need to worry about technology. It’s all taken care for you. It can cost you from few hundreds to few thousands per months just to use the software, however.
Use Reporting Tools: It’s an absolute must to define which courses and modules are necessary and useful.
On-the-job or hands-on training jumps straight to the practical skills necessary for the job. New hires begin working immediately with this training method. In some cases, it may be beneficial to incorporate an employee shadowing component. This will allow new hires to gain a little insight into the context and job requirements before trying it on their own.