One of the biggest ways channel partners can add value to their IT security
implementations is to complement technology and consulting with a mature
portfolio of security training offerings. As the famous hacker Kevin Mitnick
will attest, people are every organization’s weakest link when it comes to
keeping systems and data locked down.
But what makes for a good security training program? And how can you develop
and sell a program that will really turn a buck?
To get the answers, Channel Insider recently interviewed Barry Cooper, vice
president of training services for FishNet Security (FNS). FNS has sold both
traditional and computer-based security training for 13 years. Cooper offered
seven tips for channel providers looking to either develop or resell private
label security training offerings.
Start by Selling to the Right Markets
Sure, every organization could do well to purchase security training to improve
employee awareness. But the reality is that not every organization is ready to
make the investment. Starting out, channel partners should really tailor their
security training programs around the compliance-minded customers who need to
implement training to fall in line with regulatory mandates.
For example, FNS just recently released a spate of training offerings
focused on PCI and HIPAA, both of which require security training in order to
bring employees up to snuff on important security practices that can impact
personally identifiable information throughout the information lifecycle.
Distance Learning Is Key
While organizations are required to train their employees for compliance
purposes, many of them are constrained in how much they can spend on a program.
Times are tight and customers just don’t have the dough to fly in instructors
or the resources to pull out employees for extended face-to-face training days.
The channel will find much greater success in developing training programs that
offer always-on distance learning available via internal learning management
systems or online through FNS systems, Cooper says.
“They have this need, but they don't have a lot of budget. Historically,
organizations would have paid someone to come out to their site and deliver
them a course,” Cooper says. “Right now in the business, it is all about
margin, it's all about expense. It’s not that they don't have a training budget;
they just don't have a travel budget. And that's where this kind of training
comes in.”
Tap the Experts for Quality Curriculum
It goes without saying that your training offerings are only as good as the
curriculum you develop. In order to really offer customers a return on their
training spend, you’ll need to tap into a trusted pool of subject matter
experts who can help cultivate the curriculum.
“For any training program to be successful, it must be based on real-world
experience and created and delivered by subject matter experts,” Cooper
says. “In the case of PCI DSS and HIPAA
training, curriculum should be developed by QSA’s and HIPAA experts who have
experience with implementation and auditing.”
Create Repeatable and Customizable Content
Customers will want to see training content that is customized to their
business policies and procedures and that is also highly repeatable to ensure
smooth on-boarding of new employees throughout the year.
FNS has addressed this issue by creating distance learning modules that are
largely the same based on the security or compliance issue at hand, but that
can be tweaked slightly to address individual customer policies.
“We can tailor it,” Cooper says of his own organization’s offerings. “We
have the ability to customize these modules for each individual customer that
we sell to. So if we want to put some of their own policies that are related to
these compliance issues, we can do that.”
Interactivity Is a Must
People don’t really learn simply by reading some text on a screen or watching a
streaming video or two. Impactful training that customers will subscribe to
over the long run is the kind that mixes up its teaching methods.
This means offering a level of interactivity with games, puzzles and other
tricks of the trade to keep learners engaged and mindful of the content.
“Being able to associate something that is unknown with something that you
already know is a key way adult learners retain information,” Cooper says.
“Whether it is through a puzzle or a game, interactivity is extremely
important.”
Measure Progress
Even though many customers are required to offer this training for compliance,
most still want to see quality ROI rather than just simply implementing to
check a box for training. But measuring ROI on training can be tricky if you
don’t help them with the process. As such, it is very critical that training
partners build in a way to capture metrics throughout the training process.
For example, FNS offers pre-testing and post-testing of the given material
to show how much, exactly, the employees have learned from the curriculum.
“The metrics part is important to organizations because they have to prove
compliance,” Cooper says, explaining how FNS does it. “We can track
participation, pre- and post-test, and also come back over time and test
whether retention is taking place, for instance.”
Assess Behavioral Changes
Another critical part of ROI is that the employees not only learn the material,
but also change their operational behaviors based on that learning. Channel
partners can help companies track these behavioral changes by offering
assessment services that trace key metrics within the customer environment. For
example, physical penetration tests and spot checks could verify how many
employees are storing passwords on sticky notes attached to their workstations
before and after training.
If, say, the partner spots 25 instances of this in an office a month prior
to training and then only finds three a month after training, that is pretty
solid evidence that the awareness push has affected behavior.
Says Cooper: “Partnering with the customer or the client to make sure that the
behaviors that we are trying to teach are resonating is very important.”
