I would recommend an organization to find practical cost-effective training for employees by researching well-known vendors such as ThreatSIM by Wombat Security, Phishme (as named in the VACCA reading). A google search can be done to compare vendors, in addition to asking colleagues or other industry professionals for their recommendations on specific vendors. I would suggest making a decision not only based on cost of the training, but also if the training fits the needs of the company and their users. If it’s too basic, it might not be a program that can be used for the in-depth training and vice versa, if it’s too detailed of training targeting IT specialists, then the basic users won’t get the awareness training needed.
Hi Jill,
I agree that beyond the cost of training it is also important to consider how the training should fit a company’s needs. If a company does not have heavy requirements in terms of security, then it doesn’t make sense to utilize in-depth training. As the opposite, if a company has high security requirements then it doesn’t make sense to utilize a cheaper and more basic training solution.
Every organization needs to first look at their budget. The budget set aside for their training/awareness program will help narrow down what is and isn’t available. Additionally, when deciding which is right for your organization, trials/demonstrations of the training are extremely valuable. Find companies that are willing to give live demos for you and pertinent stakeholders to gauge relevance based on your organizations needs/wants. You may be looking for a specific kind of training such as interactive vs just watching the content. As well as the ability to select from a variety of different scenario based trainings. A 1 size fits all training is not as effective as a tailored approach. Being able to assign trainings that align with what resources that employee has access and works with makes for a far more relatable and valuable learning experience.
Budgeting is a key concept to look at when recommending practical cost-effective training for employees. Nowadays there are several companies that provide cyber security awareness training to employers and employees at a very reduced price. For example, Infosec collaborates with companies to sensitize them on cyber security awareness training. I would use two strategies in my recommendation one would be to use software as a service LMS. Alot of organizations are taking advantage of the cloud infrastructure software as a service, learning management system where outsourced and in house training can be hosted into cloud on a learning management system and each employee is sent an assignment on their own LMS. Another opportunity using these SAAS LMS is using distributive learning across the organization where part of the learning is delegated to people who are knowledgeable from the IT team can create content for employees and this content will be stored on the LMS and assigned to employees based on training and awareness needs.
Hi Abayomi,
Your suggestion in utilizing a SAAS LMS does make sense. The companies I’ve worked for have utilized a SAAS LMS with required training as well as offering optional training to help with attaining certifications. I’ve personally utilized the optional training as well as learnings offered by other employees to help further my understanding of security requirements.
Considering that core business leaders look at cybersecurity as an IT department burden, finding cost-effective training can be key. VACCA talks about behavioral management tools such a ThretSIM by Wombat Security, PhishMe and others. According to VACCA, “ThreatSIM is a platform that allows administrators to measure and monitor the delivery of emails to users and can be used to craft fake phishing emails that can be customized by department or region.” This gives an idea of what is appropriate for your organization and how to make the right decisions. Also reaching out to different vendors and inquiring if they offer free demonstrations will be key.
Hey Shepherd,
I like your suggestion of utilizing free demonstrations of vendor solutions as a part of the decision process. Even beyond cost-effective solutions, if the application is not user-friendly or doesn’t offer training substantive or relevant to your organization then it doesn’t make sense to use their training solution.
Finding a “cost-effective” training depends on the training needs of the organization and the training budget. Once the organization knows what they are looking for and know the allocated budget, they can begin their search for training solutions. Portions of the training program can be developed “in-house” and be used for onboarding activities, quartetly or annual training sessions, reminder newsletters, emails, pop-ups and screensavers can provide awareness and cost savings. If more formal training is desired or specialized training needed for certain individuals or departments, various professioal organizations can be reached out to for inquiry, such as ISACA, SANS, etc. In addition, some professional organizations offer discounts to those with memberships or sometimes offer free training which could help. There are also various tools or programs that can be used mentioned in Vacca chapter 33 such as Phishme or other Learning Management Systems, and mock attach simulations, if there is enough money in the budget.
I think you bring up a good point with “in-house” training programs. While leveraging a vendor for quality, industry standard/compliant training is necessary. Creating training that is unique to your place of business helps create that connection with the workforce. This usually results in increased retention of said training. Even if your training is the latest and greatest, if your employees aren’t relating to the content, they’re likely to just ignore it and treat it like any other mandatory training they’re bombard with on an annually/semi annual basis.
You mentioned in house training and formal external training. There is an other intermediate option which I have used to good effect: identify a key individual and send that person for specialized training with an external partner, then that person returns to the organization and acts as the internal trainer for others.
Depending on how much money an organization wants to put towards a security education program there are vendors at all price points. It is important to identify which security training is applicable to the company, this will help with staying within the budget. For example, a company that doesn’t utilize any cloud computing shouldn’t pay for cloud computing security training. Finding the correct training that suits the needs of the company, especially if the budget is small, is the most important factor. Consulting with a cyber security firm can help a company pick the correct training, or even getting a second opinion using google or other search engines is an appropriate method to determining if training is correct. Some vendors may even offer free trials or content, these can also help a company determine if the lessons provided would be cost-effective.
Because money is the most important thing to a company it should be made bluntly obvious to the employees that they must ensure that as little information is leaked as possible if any. One of the most important things they can do is just use their common sense and teach people to understand the difference between a phishing email and not, what a secure password is, how to report suspicious activity, teaching the ability to speak up about anything they see is suspicious, etc. Finally, they should look for any free online resources or online classes that they can give out to their employees and try and do so on a monthly basis to maintain that base level of security and continuing education on how to ensure the company doesn’t suffer any losses.
Organizations may have their own definition for what is considered “practical cost-effective training” since each organization has its own needs and requirements as well as its own spending capabilities. ISC2 has a wealth of knowledge for cybersecurity training if the organization is willing to spend on it. There are also free resources online that any organization can leverage for their own SETA program, but at that point, I would recommend utilizing knowledgeable information security employees within the organization to help develop and prepare information sessions if there are any. If there are no individuals, then the free resources should be utilized in such a way that applies to the employees of the organization.
I love the idea of using current security employees and their previous experiences and knowledge to make such security measures more cost effective. Online resources can build a good base but experience based application and solutions that tailor towards a specific vulnerability or problem can drastically help a company and their assets.
Hi Ken,
You made a very good point when recognizing that each company has its own definition for cost-effective. You simply can’t compare an organization like Google to a local or regional business such as a community bank. While cybersecurity and awareness should be of the utmost importance to all organizations, there are very different needs and monetary constraints involved. In addition to free resources, another method organizations could explore are companies such as ISACA that offer free or discounted training to its members as well as group rates. If an organization cannot fit much customized personal training in their budget with a vendor, this could also be a viable option from a trusted source.
Where would you recommend an organization find practical cost-effective training for its employees?
There are many sources for cost effective training. One good resource is government training programs. For example, US Cybersecurity and Infrastructure Security Agency (CISA.gov) provides training services for infrastructure and industrial organizations and companies. NIST, the DHS, DoD, Dept of State, and other government agencies offer resources that align with that agency’s mission. Other countries, and organizations like the EU, offer training specific to their territory.
Research and training groups like SANS are another great resource. SANS training is often expensive, but it is top notch. Cyber research companies such as Black Hills InfoSec and Rapid7 often provide low cost, though generally more technical, training.
YouTube is a ubiquitous source of training videos. However, they are hit or miss, often miss. There is no coordination or curation, so there are more poor or incorrect videos than truly valuable videos. You will likely spend more time weeding out bad videos than the savings in cost is worth.
Certification bodies are another good resource. The same groups that test and audit tend to be the groups that set the standards. Their training resources therefore tend to be well focused and specific.
Commercial training platforms and bootcamps are a prefabricated way to set up training. There is often a substantial cost for the convenience though. This can be balanced out by the easy of entry and the assurance of quality of an established educator,
I would find the content online that is generic and everyone should show these places could include educational websites. I would also expand the knowledge from people inside the firm who know what they are doing and can explain in words that would be easily understandable. I have experienced with making a train course myself and it would be the best way for people to come and learn from. I had someone inside my firm who was able to help me with pulling everything together. I believe this was a great way to make sure you are not handing stuff off and you have the control in which you are seeing it first hand. I have also learned that sometimes when employees have notes that which they could use as a training would be very helpful as well since they would be starting fresh. When there is any type of documentation it helps a lot in future and as well other who are to join the team.
For effective cost-effective training, the organization should adopt online training or electronic learning. It is one of the most well-known answers to the challenges of how to effectively teach staff. Online employees training programs allow for the presentation and testing of content in a variety of methods and can include videos, webinars or electronic courses.
Employees may study as per their learning preferences and current needs thanks to the diversity offered by online training. They can also continue to learn while on the run. Therefore, organizations should strive to adopt online training for their employees to ensure efficiency.
Hi Samuel, i agree with you that online training is cost effective especially with alot of employees working remotely. However, monitoring employees progress with regards to training should also be functional. For example, issuing completion certificates when an employee completes a training online.
Jill Brummer says
I would recommend an organization to find practical cost-effective training for employees by researching well-known vendors such as ThreatSIM by Wombat Security, Phishme (as named in the VACCA reading). A google search can be done to compare vendors, in addition to asking colleagues or other industry professionals for their recommendations on specific vendors. I would suggest making a decision not only based on cost of the training, but also if the training fits the needs of the company and their users. If it’s too basic, it might not be a program that can be used for the in-depth training and vice versa, if it’s too detailed of training targeting IT specialists, then the basic users won’t get the awareness training needed.
Kenneth Saltisky says
Hi Jill,
I agree that beyond the cost of training it is also important to consider how the training should fit a company’s needs. If a company does not have heavy requirements in terms of security, then it doesn’t make sense to utilize in-depth training. As the opposite, if a company has high security requirements then it doesn’t make sense to utilize a cheaper and more basic training solution.
Shepherd Shenjere says
I agree with you. More research comparing different vendors helps with the identifying the most cost effective service.
Nicholas Foster says
Every organization needs to first look at their budget. The budget set aside for their training/awareness program will help narrow down what is and isn’t available. Additionally, when deciding which is right for your organization, trials/demonstrations of the training are extremely valuable. Find companies that are willing to give live demos for you and pertinent stakeholders to gauge relevance based on your organizations needs/wants. You may be looking for a specific kind of training such as interactive vs just watching the content. As well as the ability to select from a variety of different scenario based trainings. A 1 size fits all training is not as effective as a tailored approach. Being able to assign trainings that align with what resources that employee has access and works with makes for a far more relatable and valuable learning experience.
Abayomi Aiyedebinu says
Budgeting is a key concept to look at when recommending practical cost-effective training for employees. Nowadays there are several companies that provide cyber security awareness training to employers and employees at a very reduced price. For example, Infosec collaborates with companies to sensitize them on cyber security awareness training. I would use two strategies in my recommendation one would be to use software as a service LMS. Alot of organizations are taking advantage of the cloud infrastructure software as a service, learning management system where outsourced and in house training can be hosted into cloud on a learning management system and each employee is sent an assignment on their own LMS. Another opportunity using these SAAS LMS is using distributive learning across the organization where part of the learning is delegated to people who are knowledgeable from the IT team can create content for employees and this content will be stored on the LMS and assigned to employees based on training and awareness needs.
Kenneth Saltisky says
Hi Abayomi,
Your suggestion in utilizing a SAAS LMS does make sense. The companies I’ve worked for have utilized a SAAS LMS with required training as well as offering optional training to help with attaining certifications. I’ve personally utilized the optional training as well as learnings offered by other employees to help further my understanding of security requirements.
Shepherd Shenjere says
Considering that core business leaders look at cybersecurity as an IT department burden, finding cost-effective training can be key. VACCA talks about behavioral management tools such a ThretSIM by Wombat Security, PhishMe and others. According to VACCA, “ThreatSIM is a platform that allows administrators to measure and monitor the delivery of emails to users and can be used to craft fake phishing emails that can be customized by department or region.” This gives an idea of what is appropriate for your organization and how to make the right decisions. Also reaching out to different vendors and inquiring if they offer free demonstrations will be key.
Kenneth Saltisky says
Hey Shepherd,
I like your suggestion of utilizing free demonstrations of vendor solutions as a part of the decision process. Even beyond cost-effective solutions, if the application is not user-friendly or doesn’t offer training substantive or relevant to your organization then it doesn’t make sense to use their training solution.
Christa Giordano says
Finding a “cost-effective” training depends on the training needs of the organization and the training budget. Once the organization knows what they are looking for and know the allocated budget, they can begin their search for training solutions. Portions of the training program can be developed “in-house” and be used for onboarding activities, quartetly or annual training sessions, reminder newsletters, emails, pop-ups and screensavers can provide awareness and cost savings. If more formal training is desired or specialized training needed for certain individuals or departments, various professioal organizations can be reached out to for inquiry, such as ISACA, SANS, etc. In addition, some professional organizations offer discounts to those with memberships or sometimes offer free training which could help. There are also various tools or programs that can be used mentioned in Vacca chapter 33 such as Phishme or other Learning Management Systems, and mock attach simulations, if there is enough money in the budget.
Nicholas Foster says
Hi Christa,
I think you bring up a good point with “in-house” training programs. While leveraging a vendor for quality, industry standard/compliant training is necessary. Creating training that is unique to your place of business helps create that connection with the workforce. This usually results in increased retention of said training. Even if your training is the latest and greatest, if your employees aren’t relating to the content, they’re likely to just ignore it and treat it like any other mandatory training they’re bombard with on an annually/semi annual basis.
David Vanaman says
You mentioned in house training and formal external training. There is an other intermediate option which I have used to good effect: identify a key individual and send that person for specialized training with an external partner, then that person returns to the organization and acts as the internal trainer for others.
Maxwell ODonnell says
Depending on how much money an organization wants to put towards a security education program there are vendors at all price points. It is important to identify which security training is applicable to the company, this will help with staying within the budget. For example, a company that doesn’t utilize any cloud computing shouldn’t pay for cloud computing security training. Finding the correct training that suits the needs of the company, especially if the budget is small, is the most important factor. Consulting with a cyber security firm can help a company pick the correct training, or even getting a second opinion using google or other search engines is an appropriate method to determining if training is correct. Some vendors may even offer free trials or content, these can also help a company determine if the lessons provided would be cost-effective.
Matthew Stasiak says
Because money is the most important thing to a company it should be made bluntly obvious to the employees that they must ensure that as little information is leaked as possible if any. One of the most important things they can do is just use their common sense and teach people to understand the difference between a phishing email and not, what a secure password is, how to report suspicious activity, teaching the ability to speak up about anything they see is suspicious, etc. Finally, they should look for any free online resources or online classes that they can give out to their employees and try and do so on a monthly basis to maintain that base level of security and continuing education on how to ensure the company doesn’t suffer any losses.
Kenneth Saltisky says
Organizations may have their own definition for what is considered “practical cost-effective training” since each organization has its own needs and requirements as well as its own spending capabilities. ISC2 has a wealth of knowledge for cybersecurity training if the organization is willing to spend on it. There are also free resources online that any organization can leverage for their own SETA program, but at that point, I would recommend utilizing knowledgeable information security employees within the organization to help develop and prepare information sessions if there are any. If there are no individuals, then the free resources should be utilized in such a way that applies to the employees of the organization.
Matthew Stasiak says
Hey Ken,
I love the idea of using current security employees and their previous experiences and knowledge to make such security measures more cost effective. Online resources can build a good base but experience based application and solutions that tailor towards a specific vulnerability or problem can drastically help a company and their assets.
Christa Giordano says
Hi Ken,
You made a very good point when recognizing that each company has its own definition for cost-effective. You simply can’t compare an organization like Google to a local or regional business such as a community bank. While cybersecurity and awareness should be of the utmost importance to all organizations, there are very different needs and monetary constraints involved. In addition to free resources, another method organizations could explore are companies such as ISACA that offer free or discounted training to its members as well as group rates. If an organization cannot fit much customized personal training in their budget with a vendor, this could also be a viable option from a trusted source.
David Vanaman says
Where would you recommend an organization find practical cost-effective training for its employees?
There are many sources for cost effective training. One good resource is government training programs. For example, US Cybersecurity and Infrastructure Security Agency (CISA.gov) provides training services for infrastructure and industrial organizations and companies. NIST, the DHS, DoD, Dept of State, and other government agencies offer resources that align with that agency’s mission. Other countries, and organizations like the EU, offer training specific to their territory.
Research and training groups like SANS are another great resource. SANS training is often expensive, but it is top notch. Cyber research companies such as Black Hills InfoSec and Rapid7 often provide low cost, though generally more technical, training.
YouTube is a ubiquitous source of training videos. However, they are hit or miss, often miss. There is no coordination or curation, so there are more poor or incorrect videos than truly valuable videos. You will likely spend more time weeding out bad videos than the savings in cost is worth.
Certification bodies are another good resource. The same groups that test and audit tend to be the groups that set the standards. Their training resources therefore tend to be well focused and specific.
Commercial training platforms and bootcamps are a prefabricated way to set up training. There is often a substantial cost for the convenience though. This can be balanced out by the easy of entry and the assurance of quality of an established educator,
Parmita Patel says
I would find the content online that is generic and everyone should show these places could include educational websites. I would also expand the knowledge from people inside the firm who know what they are doing and can explain in words that would be easily understandable. I have experienced with making a train course myself and it would be the best way for people to come and learn from. I had someone inside my firm who was able to help me with pulling everything together. I believe this was a great way to make sure you are not handing stuff off and you have the control in which you are seeing it first hand. I have also learned that sometimes when employees have notes that which they could use as a training would be very helpful as well since they would be starting fresh. When there is any type of documentation it helps a lot in future and as well other who are to join the team.
Samuel Omotosho says
For effective cost-effective training, the organization should adopt online training or electronic learning. It is one of the most well-known answers to the challenges of how to effectively teach staff. Online employees training programs allow for the presentation and testing of content in a variety of methods and can include videos, webinars or electronic courses.
Employees may study as per their learning preferences and current needs thanks to the diversity offered by online training. They can also continue to learn while on the run. Therefore, organizations should strive to adopt online training for their employees to ensure efficiency.
Abayomi Aiyedebinu says
Hi Samuel, i agree with you that online training is cost effective especially with alot of employees working remotely. However, monitoring employees progress with regards to training should also be functional. For example, issuing completion certificates when an employee completes a training online.