Seven Tips for Scalable Security TrainingBy Ericka Chickowski | Posted 2009-11-19 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
Solution providers can add value to their IT security implementations by complementing technology and consulting with a mature portfolio of security training offerings. But what makes a good program?
One of the biggest ways channel partners can add value to their IT security implementations is to complement technology and consulting with a mature portfolio of security training offerings. As the famous hacker Kevin Mitnick will attest, people are every organization’s weakest link when it comes to keeping systems and data locked down.
But what makes for a good security training program? And how can you develop and sell a program that will really turn a buck?
To get the answers, Channel Insider recently interviewed Barry Cooper, vice
president of training services for FishNet Security (FNS). FNS has sold both
traditional and computer-based security training for 13 years. Cooper offered
seven tips for channel providers looking to either develop or resell private
label security training offerings.
Start by Selling to the Right Markets
Sure, every organization could do well to purchase security training to improve employee awareness. But the reality is that not every organization is ready to make the investment. Starting out, channel partners should really tailor their security training programs around the compliance-minded customers who need to implement training to fall in line with regulatory mandates.
For example, FNS just recently released a spate of training offerings
focused on PCI and HIPAA, both of which require security training in order to
bring employees up to snuff on important security practices that can impact
personally identifiable information throughout the information lifecycle.
Distance Learning Is Key
While organizations are required to train their employees for compliance purposes, many of them are constrained in how much they can spend on a program. Times are tight and customers just don’t have the dough to fly in instructors or the resources to pull out employees for extended face-to-face training days. The channel will find much greater success in developing training programs that offer always-on distance learning available via internal learning management systems or online through FNS systems, Cooper says.
"They have this need, but they don't have a lot of budget. Historically,
organizations would have paid someone to come out to their site and deliver
them a course," Cooper says. "Right now in the business, it is all about
margin, it's all about expense. It’s not that they don't have a training budget;
they just don't have a travel budget. And that's where this kind of training
Tap the Experts for Quality Curriculum
It goes without saying that your training offerings are only as good as the curriculum you develop. In order to really offer customers a return on their training spend, you’ll need to tap into a trusted pool of subject matter experts who can help cultivate the curriculum.
"For any training program to be successful, it must be based on real-world
experience and created and delivered by subject matter experts," Cooper
says. "In the case of PCI DSS and HIPAA
training, curriculum should be developed by QSA’s and HIPAA experts who have
experience with implementation and auditing."
Create Repeatable and Customizable Content
Customers will want to see training content that is customized to their business policies and procedures and that is also highly repeatable to ensure smooth on-boarding of new employees throughout the year.
FNS has addressed this issue by creating distance learning modules that are largely the same based on the security or compliance issue at hand, but that can be tweaked slightly to address individual customer policies.
"We can tailor it," Cooper says of his own organization’s offerings. "We
have the ability to customize these modules for each individual customer that
we sell to. So if we want to put some of their own policies that are related to
these compliance issues, we can do that."
Interactivity Is a Must
People don’t really learn simply by reading some text on a screen or watching a streaming video or two. Impactful training that customers will subscribe to over the long run is the kind that mixes up its teaching methods.
This means offering a level of interactivity with games, puzzles and other tricks of the trade to keep learners engaged and mindful of the content.
"Being able to associate something that is unknown with something that you
already know is a key way adult learners retain information," Cooper says.
"Whether it is through a puzzle or a game, interactivity is extremely
Even though many customers are required to offer this training for compliance, most still want to see quality ROI rather than just simply implementing to check a box for training. But measuring ROI on training can be tricky if you don’t help them with the process. As such, it is very critical that training partners build in a way to capture metrics throughout the training process.
For example, FNS offers pre-testing and post-testing of the given material to show how much, exactly, the employees have learned from the curriculum.
"The metrics part is important to organizations because they have to prove
compliance," Cooper says, explaining how FNS does it. "We can track
participation, pre- and post-test, and also come back over time and test
whether retention is taking place, for instance."
Assess Behavioral Changes
Another critical part of ROI is that the employees not only learn the material, but also change their operational behaviors based on that learning. Channel partners can help companies track these behavioral changes by offering assessment services that trace key metrics within the customer environment. For example, physical penetration tests and spot checks could verify how many employees are storing passwords on sticky notes attached to their workstations before and after training.
If, say, the partner spots 25 instances of this in an office a month prior to training and then only finds three a month after training, that is pretty solid evidence that the awareness push has affected behavior.
Says Cooper: "Partnering with the customer or the client to make sure that the
behaviors that we are trying to teach are resonating is very important."