If you would like to read the other parts in this article series please go to:
- Security Awareness Training: Your First Line of Defense (Part 1)
- Security Awareness Training: Your First Line of Defense (Part 2)
- Security Awareness Training: Your First Line of Defense (Part 4)
In Part 1 of this series, we discussed the importance of security awareness in today’s highly regulated workplaces and in Part 2, we focused on how to develop your own in-house training program. This time, we’re going to look at a different opinion – hiring an outside company to do the training – and how to hire the right company to ensure that your computer users get training that is relevant and comprehensive, rather than a minimal “canned” presentation that nobody will pay attention to or remember.
Outsourcing security awareness training
After reading about all that’s involved in developing a good security awareness training program, you might have decided that it makes more sense and will be more cost-effective to simply engage a training company to come in and do it for you. There are many benefits to this approach, particularly if you have limited personnel resources in-house and/or if you need to get the training started immediately.
A company that specializes in security awareness training will (or should) be constantly learning from their clients what works best and what doesn’t, and fine-tuning the program. They’ve already been through this trial and error process many times, whereas with a DIY effort you need to get it right the first time.
Because this is what they do every day, the instructors will likely have a better grasp of the material and subject matter. They may be better able to answer users’ questions and will have encountered many of the off-the-wall scenarios that students may bring up in class, which would stump a less experienced teacher.
However, the quality of training you’ll get from an outside company can vary greatly depending on the particular company you select. That’s why it’s so important to do your research and thoroughly evaluate the company and its programs, interview its instructor(s) beforehand, and determine which company offers the best value for your particular organization.
Evaluating the company
How do you go about comparing different training companies? The first step is to assign the evaluation and selection task to a particular person or team in your organization. Come up with criteria (based on your individual company’s needs) and a timeframe for conducting the investigation into each company that’s under consideration.
Typically, the search would start with identifying several companies who provide the type of training you want (whether classroom or computer-based). Word of mouth is one of the best ways to get referrals, so you might survey other companies in your area that have similar needs and makeup to yours (number of employees, type of online tasks the employees perform, same level of confidentiality/sensitive of information they deal with, and so forth).
Another preliminary way to find companies, or to further check out the ones that come recommended, is of course to visit their web sites. When you’re looking at companies that, for example, make and sell automotive accessories, the quality of the web site doesn’t necessarily reflect the quality of their product. But when you’re looking at companies that specialize in Internet security training, they’re in the technology industry, and thus would be expected to have good web sites. They’re also in the business of imparting information and facilitating learning, so the sites should be informative, with the information on the sites clear and easy to understand and navigate. If they can’t get that right, I’d worry about how well they can write and deliver a training program.
Of course, it goes without saying that the sites should use secure technologies. If the web site of an Internet security training company forces me to download ActiveX controls or use Flash – both of which are notorious for security issues – in order to view their web pages, I’d be wary. Ensure that if they allow online ordering or payment, those transactions are secured by HTTPS – that’s a basic.
Once you get past the design and implementation of the site, pay attention to the information there. Look at the “About Us” section (there is one of those, right?) for info on where the company is physically located, how long it’s been in business, who its executives are, how many employees it has, and perhaps testimonials from its clients. Does it provide different types of contact information? A company that only wants to be contacted via an online form and doesn’t give email addresses or phone numbers or physical addresses might send up a red flag. On the other hand, one that insists on a phone call and doesn’t give you online contact options may be planning to use hard sell tactics.
Does the site have detailed information about the types of training it offers? I don’t want to waste my time calling or emailing a company that provides only computer-based training when I want on-premises classroom training, or vice versa. The web site should give you enough information to eliminate those that don’t fit your high level criteria, without having to contact them to find out that very basic information. Again, it’s about their ability to communicate clearly.
Evaluating the programs
As part of evaluating the companies, you will also start to evaluate the programs. As mentioned above, the first step is to determine that they offer training in the general format you want to use. Then look at the time formats; if you’re looking for a two-day overview course and the company only offers a three-month comprehensive course (or vice versa), it’s obviously not a fit for your needs.
Of course you’ll want to consider pricing. The cheapest choice is often not the best one, although the most expensive one may not be, either. What you’re looking for is the best value for the money. However, the reality is that if you have a set budget allocated for the training, you’ll only be able to choose from programs that fall within your price range. There’s no point in spending a lot of time and effort to evaluate a program that your company can’t possibly afford.
How customizable are the courses that are offered? Does the company offer courses that are aimed specifically at your industry (such as financial services, healthcare or retail), which may have special considerations that go beyond the basics, due to regulatory requirements or industry mandates?
Are there different short courses that can supplement the basic course, which might be relevant to some of your employees and not others? For instance, if only managers access the company network through their mobile devices, is there a mobile security mini-course that they can take?
If the company does offer supplementary courses, you’ll need to carefully evaluate the basic security awareness course to ensure that it covers all the topics you expect and that some you might consider "basic” haven’t been spun off into separate courses. Some topics that most companies will want to cover with all employees – either through a comprehensive basic course or by putting together a good “menu” of short courses – include the following:
- Security terminology and concepts
- Malware: viruses, Trojans, worms, adware, ransomware, etc.
- Malware vectors: email, web, program installation, IM, removable media, etc.
- Dangerous web sites
- Social engineering (online and offline): common tactics and techniques, how to recognize and respond; phishing/spear phishing
- Exploits: operating system, application and protocol vulnerabilities
- Attacks: DoS/DDoS, man in the middle, IP spoofing, DNS poisoning, password cracking
- Data security and encryption
- Physical security
Best security practices
In addition to the generic information, a good security awareness program will also inform your employees about your company’s specific security-related policies as well as the consequences of violations and procedures for reporting observed security policy violations.
Security awareness training for executives will include other topics, such as how to handle the media/press statements in the wake of a security breach, fundamentals of risk assessment and management, security precautions and policies regarding employees who leave the company (voluntarily or not), legal issues related to information security, and similar topics.
Look back at Part 2 of this series and ensure that the program’s learning objectives and lesson plans follow the models discussed there.
Evaluating the instructors
Even when an excellent curriculum is in place, the real world effects of any instructor-led training program will depend, at least in part, on the qualifications and capabilities of the instructors who deliver the material. When evaluating the instructors, remember that credentials on paper are only a starting point. Ask such questions as:
- What is the instructor’s background (other than teaching) in information security? Experience in the field lends valuable perspective and makes for a much deeper understanding of the problems – and the solutions.
- What are the instructor’s teaching credentials? Field experience alone doesn’t guarantee that a person will be able to teach others effectively. How many classes has the instructor taught or for how many years has he/she been teaching? What formal training in classroom instruction and adult learning theory does he/she have?
- What teaching methodologies does the instructor use? Lecture/slideshow only, or does the instructor engage students in discussion, lab work and practical exercises?
- Is the instructor enthusiastic about the topic? Does the instructor have people skills that facilitate engagement with the students?
Bringing in a training company to provide instruction in security awareness can be a good business decision – or not. The results hinge on doing your homework and carefully evaluating potential companies, their programs and curricula and the instructors who work for them. In Part 4, the final installment in this series, we will discuss how to do a post-course evaluation to properly assess those results.
If you would like to read the other parts in this article series please go to: