4-step methodology for effective InfoSec training

February 2, 2017 | InfoSec Workforce | By Brian Dulany |
To maximize the value, effectiveness and ROI of InfoSec training, it should include a handful of steps.

At this point, it's not that businesses are unaware of the need to refine their approach to information security to combat today's growing threats. Considering the frequency, scale and intensity of data breaches occurring on a regular basis, it's all but impossible to ignore. The problem is knowing what changes to make to make InfoSec training more effective.

According to Computer World, half of organizations are considering changing their InfoSec management model, with the top reasons for doing so being:

  • Growing concern about data breaches and losses (78 percent)
  • Technology innovations (53 percent)
  • Regulatory compliance (49 percent)

In today's increasingly mature threat landscape, the only companies that stand a chance against hackers are those who adopt an aggressive, detailed and multi-layer approach to information security. And a best-in-class offensive and defensive InfoSec strategy is only possible when your team members are trained on best-in-class practices and latest cybersecurty methods. 

While there's no one-size-fits-all solution, there are a handful of steps that make for a more efficient and comprehensive training. By following this series of steps, not only do you ensure higher levels of protection for your critical infrastructure, you also guarantee a higher return on investment from your InfoSec training by focusing your time and resources on mitigating the biggest risks facing your organization.

"Assessments help ensure the InfoSec training isn't redundant."

Step 1: Evaluate
As with any critical business operation, the predecessor to proper implementation and execution is strategic planning and preparation. To know exactly who you should send to training and what areas they should focus on, you first want to conduct assessments to identify where the skills gaps are. Having a benchmark of competency levels will not only help form the blueprint for a specific training plan, it will aid in measuring the effectiveness and ROI on the program down the line. You also ensure you won't have to waste time on training skills that have already been learned or on areas where your IT team demonstrates high levels of proficiency as is. 

Step 2: Train
Once you know which competencies need most improving, you're ready to enroll in training programs. Remember: For InfoSec training today to have any real meaning or value, it needs to be more about operations than information. In other words, IT pros shouldn't just understand the information. They should be able to actually apply those skills in real-world environments.  Additionally, the training needs to be tailored to the specific job functions of each InfoSec role, whether it be:

  • Core operations
  • Protection
  • Threat emulation
  • Discovery and counter-infiltration
  • Development

Step 3: Validate
Don't make the mistake of thinking that once you've sent your IT team through InfoSec training that you're good to go. Training must be ongoing - not a one-and-done deal. To ensure employees are gaining and utilizing the most valuable and relevant InfoSec skills, validate their competencies through performance-based exercises and simulations. 

Step 4: Sustain
Your training programs should occur more than once a year. But even when your InfoSec teams undergoing formal training multiple times throughout the year, incorporate training-related drills into their regular practice and duties. New adversaries and cybercriminal methods are constantly being developed and discovered. The duty of InfoSec pros is never done, and there's always room for improvement. 

To learn more about how to keep your InfoSec team sharp and skilled in the latest and best practices, download our whitepaper.