For practical cost-effective employee training, I would recommend a combination of both online platforms and in house resources. There are platforms online that offer free or low cost security training modules, while others provide comprehensive, though more premium, options. Additionally, internal knowledge sharing sessions, led by experienced team members, can be a cost-effective way to provide personalized training. Free resources from government organizations, such as the National Institute of Standards and Technology (NIST) or Cybersecurity and Infrastructure Security Agency (CISA), can also supplement the training with credible, up-to-date content.
“internal knowledge sharing sessions, led by experienced team members, can be a cost-effective way to provide personalized training.” I agree with the above statement especially in a skill-based training, employees with intermediate or advanced skill level can benefit from internal knowledge sharing sessions.
Cost effective training can easily internally developed by one team and managed by two employees. The main upfront cost of training is developing the training plan. This project can be managed by a team utilizing open source knowledge and best practices since those are widely and freely published. Once the initial training plan is developed then a team of two would easily be able to ensure that the course is regularly updated and that it is reaching the entire company.
You raise an interesting point about cost-effective training being developed internally, which can certainly help save on external expenses and keep things in house. Leveraging open-source knowledge and best practices is a great strategy, especially with so many resources freely available. However, my concern is with the long term sustainability of having just two employees manage and update the entire company’s training. What would happen if the organization scales or if the security landscape changes rapidly? Would two people still be enough to handle updates and ensure the training stays relevant and effective?
I agree, handling training in house not only cuts costs, but also makes it easier for management, and general employees, to have the same communication with the group training them. Not only that, but it is cost effective and just offers more hands on training and is easier to manage. Developing a trainings plan should also be relatively easy, because the team should have a decent idea of what risks their organization faces from the jump.
Kind of lumping into Tache’s thoughts, I agree with your thought on open source knowledge, however, I think it is important to have that type of knowledge reviewed and published to the company’s intranet (some type of learning portal or resource portal). At my organization, all guidelines and job aids are reviewed by Corporate Legal and department leaders to ensure accuracy, consistency, and appropriateness. Peer to peer learning is a great tool, but it also should reviewed/published, so the organization can ensure all employees are utilizing the same and correct document, as well as address Tache’s point of sustainability or turnover.
I beleive the team that would be responsible for developing the training would be the HR team, especially for a small organization. They would be expected to work with internal stakeholder for their input but the HR team would have knowledge on creating employee awareness and training programs. It could be introduced in their Learning Management System (LMS).
Practical cost-effective training can be developed internally by an organization by tailoring and customizing the training to reflect the recommended baseline and other information security risks facing the organization. Developing security education, training, and awareness internally will not only limit the cost; it will also help the organization to keep the mission and culture in mind.
For cost-effective training, I would first recommend online resources such as the NIST website or websites such as cybrary.it where you can find a wealth of training material ranging from free to small cost security training. If the company has a specific SME appointed, then I would also recommend internal training, this could be done in the form of a training session such as a ‘lunch and learn’, this is something that I’ve experienced in my career many times and found very helpful/useful. If the company is small, I would recommend a government aid, such as the U.S. Small Business Administration which offer assistance for SMB through programs such as the Cybersecurity for Small Business Pilot Program, which offers grants to be used for training, counselling and other cybersecurity services for small businesses.
To develop a cost-effective SETA program, an organization can leverage internal and external resources. Internal security staff can be consulted on material to be use in disseminating security awareness and the information can be distributed through the Learning Management System (LMS) used by other departments for training and compliance. This would cut the cost of hiring consultants and would leverage resources that have already been paid for. This frees up budgets for more advanced training for users in specialized roles whose job function carry a higher level of risk. Resources such as Udemy or Pluralsight can be purchased for upskilling employees to manage additional responsibilities or upskilling. If the organization has a bit more money to spare, they can hire consultants to teach classes to small groups of designated staff.
I think it would be a good idea to check out resources such as the SANS Institute sometimes if you come in as a lareg group there could be a discounted rate. They have a lot of online security awareness courses and materials that are practical and affordable for training. SANS offers programs that can be customized to fit various industries and specific demands. Another option is to have internal experts maintain workshops or make training videos, which can save money and be tailored to the organization’s yearly needs. Also, a lot of organizations can use free resources from government agencies such as NIST, which provide guidelines and templates that can be modified for internal training.
Cost effective training can be done within the organization. To limit cost, I would recommend creating a team that utilizes free training techniques, textbooks, and in general just researching training methods for employees. Creating a risk assessment to determine what employees training needs to be on would be easy as an internal team of employees should already have a good idea of the risks and vulnerabilities to the business. Some resources such as NIST and SANS are cost effective ways to provide training for their employees as well, and having a small team with experience will be able to handle training general employees and management.
I believe organizations can utilize free online platforms and in-house training programs. Online platforms like Coursera, Udemy, and LinkedIn Learning provide access to free or low-cost cybersecurity courses that cover essential topics such as phishing, data protection, and password security.
Organizations can use their own IT professionals or experienced staff to lead security workshops, focusing on real-life scenarios the company might face. This not only saves money but also ensures the training is specific to the company’s needs. Additionally, internal teams can continuously update the training materials to reflect new threats and industry practices.
Combining the free resources of online platforms with tailored in-house training allows companies to provide comprehensive security education without straining their budgets. This strategy helps create a strong security culture while keeping costs low.
When seeking practical, cost-effective training for employees, organizations need a balance of quality, accessibility, and budget. One of the best approaches is to utilize in-house expertise. Internal security experts/teams can develop customized, role-specific training programs at little to no additional cost. This approach ensures that training directly addresses the organization’s unique challenges, tools, and processes. The benefits of this method include its high level of customization, cost-effectiveness, and reliance on built-in expertise. However, it can be time-consuming to create and maintain and is dependent on the availability of internal resources. Another option would be to use online learning programs; however, most programs are self-paced videos and there is no guarantee the employees will have the self-discipline to complete the training and acquire the necessary knowledge. These programs may also not be tailored to the specific needs of an organization.
You bring up a great point about employees potentially lacking the self-discipline to complete self paced online training programs, which can be looked at as a burden and less as training. I mentioned this issue in my own response as well, Without engagement and accountability, it’s easy for employees to breeze through the content without absorbing the important information. That’s why I also agree with your suggestion of using in-house expertise to create more customized, engaging, and relevant training, which helps keep employees more focused and invested.
Thank you for your response. Engagement and accountability are key components of organization-wide training. I also believe these two options can be combined in a hybrid approach, where a few individuals are designated as security champions. They could complete the self-paced course, develop a customized curriculum, and then lead training sessions for both new and existing employees.
If the organization is building its security education program, it should refer to resources from state and federal sources to ensure security compliance with all appropriate laws and regulations, most notably NIST and CISA. If there is no budget, the organization should consider using freeware and online courses that offer its employees general and specialized security training.
However, if it has established a security program and/or it is within budget, the organization should also consider purchasing technologies that can assist in the process, such as behavioral management tools.
Great response – I like how talk about government documents like NIST and CISA. In addition, I think free resources online like Coursera are fantastic. This is low-cost, and it can be a great way to learn and train employees. The Internet provides great resources at a low cost.
To implement a cost-effective Security Education, Training, and Awareness (SETA) program, organizations should leverage a mix of internal and external resources. Foundational security awareness training can be developed in-house using accessible platforms like videos, newsletters, and phishing simulation tools such as Wombat Security or Phishme. These tools not only assess employee vulnerabilities but also provide targeted, just-in-time training when users fall for simulated phishing attacks, addressing gaps as they arise.
For specialized, role specific training, organizations can turn to industry leaders like SANS Institute or ISC2, which offer globally recognized training through virtual or in person workshops. This minimizes travel costs while maintaining quality learning. Additionally, businesses should collaborate with industry peers or local security associations to access group discounts or free webinars. By combining these resources, companies can meet regulatory requirements, reduce risks, and build a security-conscious culture without exceeding budget constraints.
For practical, cost-effective employee training, you can use a combination of in-house resources and online platforms. In-house resources, such as guides or job aids, can be designed by current employees. This approach utilizes the skills and knowledge of existing employees, is cost-effective, and gives employees a sense of ownership in their roles, encouraging peer-to-peer learning and knowledge sharing.
Additionally, there are numerous online platforms available for training, such as Udemy, Skillshare, and professional associations like the Institute of Internal Auditors (IIA) or ISACA. These free resources can be excellent supplements to stay up to date with professional development and risks.
I share the same opinion that online platforms like Udemy along with organizations like ISACA offer great training opportunities that are affordable as well as effective. They provide access to resources and courses at a fraction of the price to traditional in-person training options. Combining online training with in-house resources like job aids and guides is an effective approach for continuous professional development while keeping costs low and training effective.
I would recommend an organization find cost-effective training for its employees online. CISA and NIST are great free resources. CISA offers free online security training courses and is a government initiative to increase awareness. I would urge an organization to use this. SANS Security Awareness is an organization that promotes cybersecurity awareness, and they do have an option to pay for more advanced training. Another effective website would be Coursera. They offer a lot of classes and this would be a great way to learn and train employees. Ultimately, utilizing the Internet is valuable for an organization to improve training for its employees.
I completely agree with you about using federal references and regulations as a cost-effective security training tool for employees. Firstly, it demonstrates the level of compliance the organization is committed to maintaining. Secondly, these platforms are regularly updated. And thirdly, most of the resources are free. Great post!
To find practical cost effective training, i would reccomend a firm’s security department utilize free resources offered online by organizations such as NIST, CISA, and SANS. Most trainings are free and can be used for basic cybersecurity awarenedd. If a companyh is unable to find an engaging training online or training that directly discusses the issues that company faces, the information security team should use their research and subject matter expertise to create training internally. In this instance, the training can give general information and security awareness as it directly relates to the firm and their practicdes/policies. My overall reccomendation would be to use a mix of these resources.
I agree that utilizing free resources from organizations like NIST, CISA, and SANS is a cost effective way to provide basic cybersecurity training. Combining these with internally developed, company specific training ensures the content is relevant and tailored to address the unique challenges and policies of the firm.
If a company is looking for a cost-effective way for educate its employees on cybersecurity, there are numerous free or low-cost online training resources available, Platforms such as Udemy, LinkedIn Learning and Coursera offer a wide range of affordable courses on topics like security awareness and IT security. CISA (Cybersecurity and Infrastructure Security Agency) provides cybersecurity awareness training materials and toolkits for businesses to utilize in enhancing their cyber security measures, and under Microsoft’s Security Training and Awareness program, you can access free materials. Additionally, ISACA provides discounted webinars and training sessions focusing on IT risk management and auditing. By leveraging these platforms, businesses can implement effective and affordable cybersecurity training programs.
James Nyamokoh says
For practical cost-effective employee training, I would recommend a combination of both online platforms and in house resources. There are platforms online that offer free or low cost security training modules, while others provide comprehensive, though more premium, options. Additionally, internal knowledge sharing sessions, led by experienced team members, can be a cost-effective way to provide personalized training. Free resources from government organizations, such as the National Institute of Standards and Technology (NIST) or Cybersecurity and Infrastructure Security Agency (CISA), can also supplement the training with credible, up-to-date content.
Nelson Ezeatuegwu says
“internal knowledge sharing sessions, led by experienced team members, can be a cost-effective way to provide personalized training.” I agree with the above statement especially in a skill-based training, employees with intermediate or advanced skill level can benefit from internal knowledge sharing sessions.
Benjamin Rooks says
Cost effective training can easily internally developed by one team and managed by two employees. The main upfront cost of training is developing the training plan. This project can be managed by a team utilizing open source knowledge and best practices since those are widely and freely published. Once the initial training plan is developed then a team of two would easily be able to ensure that the course is regularly updated and that it is reaching the entire company.
Tache Johnson says
You raise an interesting point about cost-effective training being developed internally, which can certainly help save on external expenses and keep things in house. Leveraging open-source knowledge and best practices is a great strategy, especially with so many resources freely available. However, my concern is with the long term sustainability of having just two employees manage and update the entire company’s training. What would happen if the organization scales or if the security landscape changes rapidly? Would two people still be enough to handle updates and ensure the training stays relevant and effective?
Vincenzo Macolino says
I agree, handling training in house not only cuts costs, but also makes it easier for management, and general employees, to have the same communication with the group training them. Not only that, but it is cost effective and just offers more hands on training and is easier to manage. Developing a trainings plan should also be relatively easy, because the team should have a decent idea of what risks their organization faces from the jump.
Brittany Pomish says
Kind of lumping into Tache’s thoughts, I agree with your thought on open source knowledge, however, I think it is important to have that type of knowledge reviewed and published to the company’s intranet (some type of learning portal or resource portal). At my organization, all guidelines and job aids are reviewed by Corporate Legal and department leaders to ensure accuracy, consistency, and appropriateness. Peer to peer learning is a great tool, but it also should reviewed/published, so the organization can ensure all employees are utilizing the same and correct document, as well as address Tache’s point of sustainability or turnover.
Gbolahan Afolabi says
I beleive the team that would be responsible for developing the training would be the HR team, especially for a small organization. They would be expected to work with internal stakeholder for their input but the HR team would have knowledge on creating employee awareness and training programs. It could be introduced in their Learning Management System (LMS).
Nelson Ezeatuegwu says
Practical cost-effective training can be developed internally by an organization by tailoring and customizing the training to reflect the recommended baseline and other information security risks facing the organization. Developing security education, training, and awareness internally will not only limit the cost; it will also help the organization to keep the mission and culture in mind.
Ericberto Mariscal says
For cost-effective training, I would first recommend online resources such as the NIST website or websites such as cybrary.it where you can find a wealth of training material ranging from free to small cost security training. If the company has a specific SME appointed, then I would also recommend internal training, this could be done in the form of a training session such as a ‘lunch and learn’, this is something that I’ve experienced in my career many times and found very helpful/useful. If the company is small, I would recommend a government aid, such as the U.S. Small Business Administration which offer assistance for SMB through programs such as the Cybersecurity for Small Business Pilot Program, which offers grants to be used for training, counselling and other cybersecurity services for small businesses.
Gbolahan Afolabi says
To develop a cost-effective SETA program, an organization can leverage internal and external resources. Internal security staff can be consulted on material to be use in disseminating security awareness and the information can be distributed through the Learning Management System (LMS) used by other departments for training and compliance. This would cut the cost of hiring consultants and would leverage resources that have already been paid for. This frees up budgets for more advanced training for users in specialized roles whose job function carry a higher level of risk. Resources such as Udemy or Pluralsight can be purchased for upskilling employees to manage additional responsibilities or upskilling. If the organization has a bit more money to spare, they can hire consultants to teach classes to small groups of designated staff.
Tache Johnson says
I think it would be a good idea to check out resources such as the SANS Institute sometimes if you come in as a lareg group there could be a discounted rate. They have a lot of online security awareness courses and materials that are practical and affordable for training. SANS offers programs that can be customized to fit various industries and specific demands. Another option is to have internal experts maintain workshops or make training videos, which can save money and be tailored to the organization’s yearly needs. Also, a lot of organizations can use free resources from government agencies such as NIST, which provide guidelines and templates that can be modified for internal training.
Vincenzo Macolino says
Cost effective training can be done within the organization. To limit cost, I would recommend creating a team that utilizes free training techniques, textbooks, and in general just researching training methods for employees. Creating a risk assessment to determine what employees training needs to be on would be easy as an internal team of employees should already have a good idea of the risks and vulnerabilities to the business. Some resources such as NIST and SANS are cost effective ways to provide training for their employees as well, and having a small team with experience will be able to handle training general employees and management.
Christopher Williams says
I believe organizations can utilize free online platforms and in-house training programs. Online platforms like Coursera, Udemy, and LinkedIn Learning provide access to free or low-cost cybersecurity courses that cover essential topics such as phishing, data protection, and password security.
Organizations can use their own IT professionals or experienced staff to lead security workshops, focusing on real-life scenarios the company might face. This not only saves money but also ensures the training is specific to the company’s needs. Additionally, internal teams can continuously update the training materials to reflect new threats and industry practices.
Combining the free resources of online platforms with tailored in-house training allows companies to provide comprehensive security education without straining their budgets. This strategy helps create a strong security culture while keeping costs low.
Cyrena Haynes says
When seeking practical, cost-effective training for employees, organizations need a balance of quality, accessibility, and budget. One of the best approaches is to utilize in-house expertise. Internal security experts/teams can develop customized, role-specific training programs at little to no additional cost. This approach ensures that training directly addresses the organization’s unique challenges, tools, and processes. The benefits of this method include its high level of customization, cost-effectiveness, and reliance on built-in expertise. However, it can be time-consuming to create and maintain and is dependent on the availability of internal resources. Another option would be to use online learning programs; however, most programs are self-paced videos and there is no guarantee the employees will have the self-discipline to complete the training and acquire the necessary knowledge. These programs may also not be tailored to the specific needs of an organization.
Christopher Williams says
You bring up a great point about employees potentially lacking the self-discipline to complete self paced online training programs, which can be looked at as a burden and less as training. I mentioned this issue in my own response as well, Without engagement and accountability, it’s easy for employees to breeze through the content without absorbing the important information. That’s why I also agree with your suggestion of using in-house expertise to create more customized, engaging, and relevant training, which helps keep employees more focused and invested.
Cyrena Haynes says
Hi Christopher,
Thank you for your response. Engagement and accountability are key components of organization-wide training. I also believe these two options can be combined in a hybrid approach, where a few individuals are designated as security champions. They could complete the self-paced course, develop a customized curriculum, and then lead training sessions for both new and existing employees.
Jocque Sims says
If the organization is building its security education program, it should refer to resources from state and federal sources to ensure security compliance with all appropriate laws and regulations, most notably NIST and CISA. If there is no budget, the organization should consider using freeware and online courses that offer its employees general and specialized security training.
However, if it has established a security program and/or it is within budget, the organization should also consider purchasing technologies that can assist in the process, such as behavioral management tools.
Neel Patel says
Hi Jocque!
Great response – I like how talk about government documents like NIST and CISA. In addition, I think free resources online like Coursera are fantastic. This is low-cost, and it can be a great way to learn and train employees. The Internet provides great resources at a low cost.
Andrea Baum says
To implement a cost-effective Security Education, Training, and Awareness (SETA) program, organizations should leverage a mix of internal and external resources. Foundational security awareness training can be developed in-house using accessible platforms like videos, newsletters, and phishing simulation tools such as Wombat Security or Phishme. These tools not only assess employee vulnerabilities but also provide targeted, just-in-time training when users fall for simulated phishing attacks, addressing gaps as they arise.
For specialized, role specific training, organizations can turn to industry leaders like SANS Institute or ISC2, which offer globally recognized training through virtual or in person workshops. This minimizes travel costs while maintaining quality learning. Additionally, businesses should collaborate with industry peers or local security associations to access group discounts or free webinars. By combining these resources, companies can meet regulatory requirements, reduce risks, and build a security-conscious culture without exceeding budget constraints.
Brittany Pomish says
For practical, cost-effective employee training, you can use a combination of in-house resources and online platforms. In-house resources, such as guides or job aids, can be designed by current employees. This approach utilizes the skills and knowledge of existing employees, is cost-effective, and gives employees a sense of ownership in their roles, encouraging peer-to-peer learning and knowledge sharing.
Additionally, there are numerous online platforms available for training, such as Udemy, Skillshare, and professional associations like the Institute of Internal Auditors (IIA) or ISACA. These free resources can be excellent supplements to stay up to date with professional development and risks.
Aisha Ings says
HI Brittany,
I share the same opinion that online platforms like Udemy along with organizations like ISACA offer great training opportunities that are affordable as well as effective. They provide access to resources and courses at a fraction of the price to traditional in-person training options. Combining online training with in-house resources like job aids and guides is an effective approach for continuous professional development while keeping costs low and training effective.
Neel Patel says
I would recommend an organization find cost-effective training for its employees online. CISA and NIST are great free resources. CISA offers free online security training courses and is a government initiative to increase awareness. I would urge an organization to use this. SANS Security Awareness is an organization that promotes cybersecurity awareness, and they do have an option to pay for more advanced training. Another effective website would be Coursera. They offer a lot of classes and this would be a great way to learn and train employees. Ultimately, utilizing the Internet is valuable for an organization to improve training for its employees.
Jocque Sims says
Good afternoon Neel Patel,
I completely agree with you about using federal references and regulations as a cost-effective security training tool for employees. Firstly, it demonstrates the level of compliance the organization is committed to maintaining. Secondly, these platforms are regularly updated. And thirdly, most of the resources are free. Great post!
Dawn Foreman says
To find practical cost effective training, i would reccomend a firm’s security department utilize free resources offered online by organizations such as NIST, CISA, and SANS. Most trainings are free and can be used for basic cybersecurity awarenedd. If a companyh is unable to find an engaging training online or training that directly discusses the issues that company faces, the information security team should use their research and subject matter expertise to create training internally. In this instance, the training can give general information and security awareness as it directly relates to the firm and their practicdes/policies. My overall reccomendation would be to use a mix of these resources.
Andrea Baum says
I agree that utilizing free resources from organizations like NIST, CISA, and SANS is a cost effective way to provide basic cybersecurity training. Combining these with internally developed, company specific training ensures the content is relevant and tailored to address the unique challenges and policies of the firm.
Aisha Ings says
If a company is looking for a cost-effective way for educate its employees on cybersecurity, there are numerous free or low-cost online training resources available, Platforms such as Udemy, LinkedIn Learning and Coursera offer a wide range of affordable courses on topics like security awareness and IT security. CISA (Cybersecurity and Infrastructure Security Agency) provides cybersecurity awareness training materials and toolkits for businesses to utilize in enhancing their cyber security measures, and under Microsoft’s Security Training and Awareness program, you can access free materials. Additionally, ISACA provides discounted webinars and training sessions focusing on IT risk management and auditing. By leveraging these platforms, businesses can implement effective and affordable cybersecurity training programs.