Secrets from cybersecurity pros: How to create a successful employee training program

Educating staff on security practices is critical to keeping an organization safe. Here are the necessary components of a cybersecurity training program.
Written by Macy Bayern, Multiplatform Reporter

A lack of professional growth opportunities is one of the top reasons employees quit, yet organizations often overlook learning and development initiatives. The minimization of learning and development initiatives ultimately hurts both the worker and employer, as 94% of employees said they would stay at a company longer if they were offered educational opportunities, a LinkedIn report found.

"One of the top job satisfaction factors of today's workforce is learning and development opportunities," said Eleftheria Papatheodorou, director of training at TalentMLS.

"On top of improving retention, training benefits organizations with providing a more skilful and engaged workforce. It improves performance as employees are given the knowledge, resources, and skillset to do their best work," said Papatheodorou. 

A critical educational area for employees is in cybersecurity, as more organizations become inundated by cyberattacks. 

"Cybersecurity is at the front and center of enterprises due to the increasing number of malicious attacks in the workplace," said Jared Lucas, chief people officer at MobileIron.

"Proper employee training and frequent refreshers can equip employees with the tools to properly ward off cybersecurity threats on the front lines," Lucas said. 

Cost is a big reason organizations have historically overlooked training -and that means more than just the dollar sign. Training can take away from daily tasks, costing productivity for some employees, said Lisa Plaggemier, chief strategy officer at MediaPro.  

However, the cost of not training employees, especially in cybersecurity practices, is far worse, Plaggemier said. 

A lack of training leads to "Unintended data loss, data breach, malware infections…the list goes on and on. These [affect] your help desk, your legal department, and your reputation," Plaggemier added.

Given how prevalent cybersecurity is, many organizations understand the value of implementing these training sessions; but knowing where to start can be the most difficult part.

How to create a cybersecurity training program

1. Find the knowledge gap

The first step in developing a training program is finding the skills gap in your organization. Begin by determining what cybersecurity areas employees are most unfamiliar with, Papatheodorou said. 

"Their needs can be assessed via an online survey, or by asking employees and managers directly," Papatheodorou said. 

Another avenue for preparation is looking at outcomes. "Start by deciding what outcomes you most desire, and pick the right modality of training to best meet those outcomes -- which varies per organization," Lucas said. 

For example, "ask the security team and leadership some questions: What are our biggest risks? What are we protecting? All of this data will help you clarify where you should start." Plaggemier said.

The organization could decide to do a general cybersecurity threat overview, a basic education that could teach employees how to spot and prevent breaches. Or, depending on the company's needs, the training could be more specialized, focusing on password security, email and social media policies, and protection of company data, Papatheodorou said. 

2. Get employee buy-in

"Getting employee buy-in is going to be the most important part of a successful training program," said Mark Webster, co-founder of Authority Hacker. "Especially if you're asking them to learn something that fundamentally changes the nature of their work."

A big part of employee buy-in is accessibility. The courses should be easy to access, that way it isn't a hassle to go through training. 

"Make sure to choose the right training delivery method for each role," Papatheodorou said. "The tool you use to train your employees should correspond to the nature of their work. For example, deskless workers should receive training through mobile devices.

"To get the employees on board, involve them beforehand and offer them learning opportunities that spark a personal interest," Papatheodorou said. "Send an email asking each employee what kind of training they'd like to get. Make your sales or any other training courses accessible to other departments." 

3. Monitor progress 

Effective training programs are those that evolve and improve, which is why monitoring progress is crucial. 

To see if the training courses have been helpful and useful, Papatheodorou suggested including quizzes or tests within the classes. 

"For every training module, create quizzes and tests to assess what people have learned," Papatheodorou said. "If possible, include gamification features to engage and motivate employees to score higher. Make sure to include frequent knowledge assessments within training sessions, as they help knowledge retention." 

To see how training has impacted a department, run a before and after analysis, Papatheodorou added. For cybersecurity, this could include sending a company-wide fake phishing email before and after the training, measuring how many people clicked the link each time.

Overall, security teams must enter training initiatives with full force and a solid plan, according  to Plaggemier.

"It's the security team that's accountable, so they should 'own,' the program,"  Plaggemier said, "When a security incident happens, executives aren't going to ask HR or Corp Comms if the training program was effective, they're going to ask you, so own it."

Also see 

Two Professional IT Programers Discussing Blockchain Data Network Architecture Design and Development Shown on Desktop Computer Display. Working Data Center Technical Department with Server Racks
Image: Getty Images/iStockphoto
Editorial standards