The Trouble With Training

A little girl's bicycle with training wheels in the Groninger village of Oude Pekela, Veenkoloniën.

At Pythia Cyber we are often asked if we provide training. If you mean do we provide canned training to keep users from clicking on links in emails, then the answer is a hard "no." "Why not?" is the all-too-frequent follow up question. "That is a long story," we reply. So long that it needed this blog post to answer it.

In this context, "training" means taking a course in any of several tiny subsets of cybersecurity, likely ending in an exam so that the trainers can certify that your people took the course (or charge you for them to take it again). Most of these courses are on-line, but sometimes they are given in person. We are agnostic about the delivery method: it is the content that concerns us.

Why don't we provide this as a deliverable to our clients? After all, it has some attractive attributes from our perspective and some attractive attributes from the client's perspective:

Good For Us

  • We can design once, sell many and have less qualified people give the course.
  • We can control the definition of success (passing the exam at the end).
  • We can schedule the training without having to co-ordinate with our principals' schedule.
  • We can sell the course to any client, regardless of staff make-up or current environment.

Good For You

  • You have immediate activity in the cybersecurity realm.
  • You get outside certification that you can point to when it is done.
  • You do not have to disrupt operations very much to do this.
  • You have certainty as to time and cost.

Not For Us

So why don't we do this kind of training course? Because this kind of training course is not part of our NIST CSF-based process:

  1. Define governance to link management with Info Sec operations & Business Continuity
  2. Identify assets by working with management and IT both
  3. Protect assets with policies and procedures
  4. Detect threats and vulnerabilities through monitoring
  5. Respond to issues as they arise and are detected
  6. Recover from any damage after the response has contained the problem

Which of these steps would include going to a conference room to run a course on how to identify the source of an email before you click on any suspicious links? We cannot figure out how to add such an offering to our process in a way that would deliver greater value to you (although it is clear how we would deliver greater revenue to us).

When to Use This Kind of Training

We are looking to help people enjoy proof-based cybersecurity, proof being evidence that you understand. This kind of training strikes us as a strange place to start. We are not saying that this kind of training has no place in any organization. As an answer to question "what are we going to do about all these phishing attacks that our Detect efforts have uncovered?" this kind of training is just the ticket.

The crucial difference in this scenario is that you have identified a problem that you are monitoring and you are responding to that problem as the evidence directs you. You will also have the evidence to tell you is the training is effective in elevating your cybersecurity. Otherwise you have evidence that the training is effective in supporting people taking the test. That is a proxy for greater safety: better than nothing, but not as good as evidence of increased safety.

Since one of our founders is a practicing research psychologist, we feel we have to add that not all training is good training. The point of training is to change people's behavior in certain situations, to make it as probable as is practical that people will the right thing in those situations. Training people NOT to click on links in email is not really what you want; instead you want everyone to be aware of at least the basic cybersecurity risks and to avoid risky behavior as much as possible. "Don't click on links" is another proxy for "be mindful of what you are doing on the public Internet." "Don't click on links" is better than "blindly click on whatever you see" but falls far short of the actual goal. Effective training needs to be targeted and specific and, ideally, a good fit for your particular audience. That same founder will be addressing the ABC's of training in future posts. If you are going to pay for training you should be an educated consumer. That may make the difference between security theater and a security upgrade.

What if you cannot spend the time or money to build an internal cybersecurity program? What if you workforce is extraordinarily resistant to change, as many finely-honed and tightly focused workforces are? In that case, take the training. It has some value and in the never-ending battle to keep the cybersecurity threats at bay, sometimes you take whatever progress you can get.

If you can take the time and effort to build the kind of cybersecurity program that supports making sure that your training is addressing a real problem effectively, then contact us and let us see what you and Pythia Cyber can build together.

Comments

Post a Comment