5 Principles for Selecting Security Training Providers
It seems like everybody and their brother is offering security training nowadays: universities are spinning up new programs; technology product vendors are making courses available (both focused on their products and more generic options); industry associations are increasing training offerings (both online and at events); not to mention countless others who are all offering security training. It’s a buyer’s market for cybersecurity training opportunities.
This is not a surprise given what we know about the demand for skilled security resources. ISACA’s 2018 Global State of Cybersecurity survey, for example, found that 59% of enterprises have unfilled security positions and that for 54% of them it takes three months or longer to fill the open positions they have. Likewise, data from CyberSeek (a tool focused on tracking the cybersecurity job market), rates the supply of cybersecurity workers as “Very Low,” and they estimate the number of job openings (as of this writing) at about 40% of the total workforce.
Given these dynamics, it stands to reason that educational opportunities to help fill this critical need for skills would arise. The variety of options can, however, make it challenging for consumers, particularly those in the higher education space. The managers and executives chartered with securing the technical environment in educational institutions often have limited dollars to invest in the development of staff skills. This means that a wealth of options for training create anxiety about making the right selection: questioning which of the many options is the right one, which providers will best fit the need, and what training options are needed most.
Even when training options are free, there’s still an opportunity cost. You might ask, “What other critical security needs have gone unmet because staff and budget were dedicated to this training?” Security professionals in higher-education know that there’s never enough time to do everything, so prioritizing one thing means deprioritizing something else. If the training doesn’t yield fruit, you’ve wasted time and hindered another important activity somewhere else.
So, how do you select the best option and know you are using limited dollars most effectively? While no complicated purchasing decision can be fully reduced to a set number of key principles (consider buying a car for example), that doesn’t mean there aren’t a few things to keep in mind as you make your selection.
Principle 1: Understand ROI (and Risk Mitigation for Dollars Spent)
People sometimes get “squirrely” when it comes to looking at the dollars and cents associated with any security measure. The fact is, though, that it’s necessary—particularly in higher education. You won’t have an infinite budget, and you may not even have enough budget to fully protect your organization to a minimum standard. Understanding what a given investment will get—and more importantly, the value that has to your program overall—is prudent. If for example a staff member wants to attend vendor training on a specific tool, the value that will have is predicated on a few different factors: whether you use that tool, how valuable that tool is to your program, and other plans you have that might impact the tool’s operation (for example, if you plan to phase it out).
The training decision then, to be done most effectively, requires estimating the future value of the training—in the context of your security program overall. To do that, you need to understand the relative value, role, and import of individual controls in your portfolio in the first place. For an educational institution, this can be hard to do given large, complicated, heterogeneous environments and a lean population of supporting staff.
A useful way to get the data you need to be able to do this is by systematically understanding the risks to your institution, understanding the risk-reduction benefit of individual controls that you have in place, and tying those two pieces of data together to inform training decisions. So, while it might sound strange at first blush, the truth is that better risk management makes for better training over the long term.
Principle 2: Trainers Aren’t All Created Equal
Next, keep in mind that training isn’t fungible (meaning, not all training and training providers are created equal). There are often substantive quality and value differences between providers. Unfortunately, it’s not always easy to tell at first glance whether a training provider is good or not. Since choosing poorly wastes time and dollars, though, being as educated as you can be before you select a provider means a better outcome for the institution overall.
One way to minimize exposure is “try before you buy” on training options. Much like you might demo a product before you commit to a purchase, training with one or two staff members first before committing to a larger level of investment helps. If the training is poor, move on and keep a note for posterity. If it’s great, evaluate what other staff might need the same training and expand.
Doing your homework by researching providers ahead of time is also valuable. Credibility counts in the training world just as it does everywhere else. Just like you’d evaluate any other purchase (e.g. by talking to peers and sharing experiences, reviewing references, doing a quick Google search to see samples of other training they’ve done), establish credibility in the provider using the tools available to you before you engage.
Principle 3: Select a Plan
Training is ultimately an exercise in filling-in and addressing gaps that you may have in your team’s overall expertise and skill base. Doing that well, of course, means understanding what gaps your team has in the first place. Staff members that have worked in the higher education world for a few years may have a more eclectic skill base than what you see on the surface. For example, by virtue of a prior life or prior regime, your resources may have deep expertise in the tools and techniques of which you are unaware.
If you’ve never systematically evaluated this—particularly if you have a large team—you are likely leaving good talent “on the table,” potentially reduplicating training efforts, and failing to address areas of need. A skills inventory (i.e. a “map” of team skills) can help you select the most germane providers, as you can use it to correlate areas of need with areas where specific providers are strongest. If you’ve done the research on those training providers, compare topic-areas where given trainers excel and select from those strongest in what you need most. A side benefit of this is also that you build knowledge about the skills your existing resources have, which is always useful when it comes to planning out staffing for new projects.
Principle 4: Assess Performance
Build a way to measure the effectiveness of training efforts you do undertake. It’s hard to know what trainers to engage when you don’t have a record of who you’ve used in the past and whether they are any good. Doing this well means more than sending out a simple feedback form to record impressions of training exercises. Why? Because the feedback form can wind up being more a measure of staff satisfaction vs. building the skills intended. If you have no other way to do it, a feedback form is better than nothing, but the best mechanism is one that lets you measure skills directly (e.g., a cyber range or other “hands-on” assessment tool). If you have access to one of these, consider how you might adapt output from it to measure training efforts and include as part of your measuring process. Whatever strategy you use, though, retain these records for posterity, so you can measure training options over time.
Principle 5: Understand the Type of Training Being Offered
For the sake of making the point, one could categorize training options into two “buckets:” general conceptual knowledge and specialized, hands-on skills development. There is absolutely a time and a place for both in an institution’s training strategy. The former is useful for junior resources and those just entering the profession, while more experienced staff that have the foundations already down will find the second to be more efficient and useful. A critical look through the learning objectives (or course materials if you can get your hands on them) can help you understand what you’re signing up for and pick accordingly based on the staff you’re targeting.
While none of these principles are exactly “rocket science,” very often leaders don’t approach training with the same level of rigor, due-diligence, and care, as they would selection of any of the other controls and countermeasures they might deploy to support their security program. This is natural given the turbulent and complex environments most institutions operate in but taking the time to unpack and evaluate a training option with the same rigor as you would evaluate a technical control can lead to fantastic returns.
Do you need assistance choosing a cybersecurity training provider at your institution? Contact Katelyn Ilkani, who leads Tambellini’s CISO Advisory Practice, to discuss options.
October is National Cybersecurity Awareness Month 2018, a collaborative effort to ensure online safety co-lead by U.S. Department of Homeland Security and the National Cyber Security Alliance (NCSA). Tambellini presents this blog as thought leadership from industry experts on cybersecurity market trends impacting higher education.
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of The Tambellini Group. To express your views in this forum, please contact Katelyn Ilkani, Vice President, Client Services and Cybersecurity Research, The Tambellini Group.