Enterprise security awareness training for employees has long been considered a compliance-checkbox activity, but...
not necessarily an effective tactic for protecting corporate assets.
However, amid what has become a large and competitive market full of quality security awareness training products, one expert says that enterprise security managers should rethink their attitudes toward user awareness training.
Research firm Gartner Inc., based in Stamford, Conn., this month released its first-ever Magic Quadrant for Security Awareness Computer-Based Training Vendors, a report that analyzed offerings from 19 of the largest security awareness training vendors. Heavy hitters like Wombat Security Technologies Inc., FishNet Security Inc. and the SANS Institute are all featured, as well as a surprisingly large field of upstart training organizations. All told, the vendors in the Gartner report account for around $650 million in annual revenue.
What can't be seen in the Gartner research, said report author and Gartner research vice president Andrew Walls, is the thousands of niche training vendors that could be equally as useful as the big players in the right circumstances. For instance, if a small training vendor only operates out of the Cincinnati area and has received rave reviews from its clients, a Cincinnati-based enterprise should consider the local vendor if it meets the enterprise's needs.
"The fact that they don't play outside Ohio is irrelevant" for training, said Walls.
He noted that there are many such vendors around the world that only serve a single metropolitan area, such as Beijing or London, or even organizations that provide security awareness training in a specific language, a practice that is prevalent in nations like India. When large and small players are tallied, Walls said the result is a market that already exceeds $1 billion in annual revenue and, based on limited market data, is growing at approximately 13% a year.
Security awareness training turns a corner
Walls acknowledged that the growth in the security awareness training market comes despite a long-held belief among many enterprises that employee awareness training simply doesn't work.
That attitude, he said, has largely been driven by past mistakes from enterprises, which often utilized internal security teams to develop training programs. While input from in-house security experts is vital for quality training, Walls said do-it-yourself training programs often fail to account for a key ingredient: instructional designers and other training experts.
"Effective education is a non-trivial thing, and it takes a very solid understanding of the audience and how you're going to measure the effectiveness of that education," said Walls. "Within the industry, the history of security education has ignored all that. It doesn't worry about impact; it doesn't worry about [asking] 'Is this effective?'
"As a result, the word on the street is that security training isn't worth the time and money," Walls continued. "It's the classic syndrome of blaming the tools … the fault lies with you, not the audience."
Security awareness training: Not only for compliance
Still, Walls said more enterprises are turning to security training as a way to address a variety of security and business problems.
For one, Walls said the increasing prevalence of bring your own device (BYOD) programs in enterprise environments has bypassed or dulled many of the tried-and-true technical controls that companies have relied on to secure desktops and laptops. As a result, often the only thing standing between an attacker and sensitive corporate data may be an employee's knowledge of security best practices when operating a BYOD phone.
Another factor, according to Walls, is a seemingly unrelenting wave of data breaches affecting organizations of all sizes and industries. Enterprises can throw as many technologies as they want at the breach problem, he said, but if employees are still likely to open phishing emails, training becomes a necessity.
Walls said enterprises are also concerned by the "reputational issues" associated with suffering a breach. Retailers Target and Home Depot, for instance, were criticized in the wake of massive data breaches when information leaked showing both had made serious staffing and technical missteps within their respective security programs.
Should a high-profile incident occur, Walls said enterprises fear facing similar criticisms from customers and shareholders that employees weren't properly trained.
"Enterprises want it on the record that they told their people all this stuff, that they have the skills," said Walls.
Choosing a security awareness training vendor
With thousands of security awareness training vendors in the market, and nearly 20 making Gartner's Magic Quadrant, enterprises may be left asking which is the best. Despite labeling certain vendors as "leaders" or "visionaries" for the Gartner report, Walls emphasized that there is no "best vendor" when it comes to training, only the right vendor for specific circumstances.
Walls said enterprises must come to understand that security training by nature should be customized for the intended audience. Whereas customer service employees may do well with twice-a-year computer-based training modules, CEOs and other executives may retain information better through other training methods.
With that in mind, Walls advised enterprises to shop around to see which vendors offer coverage for the desired topics -- whether for a specific industry, a regulation such as HIPAA or antiphishing -- and then assess the available training modules to determine if there is a match with the company's employee training needs.
"That could be something with high interactivity, it could be sending them a book, but companies have to do that analysis," said Walls, noting that many of the enterprises he's spoken with have opted for multiple vendors to fulfill different needs. "If you're a multinational that is dealing with people in Indonesia and New Jersey, you can't send out blanket training that's the same for everyone."
Beyond assessing an organization's needs beforehand, Walls said the other important factor to consider with training vendors is the assessment services on offer. Some vendors may provide a short training video immediately followed by a quiz that would help enterprises fulfill compliance regulations, but Walls stressed that such methods are useless for improving an organization's security posture.
Instead, a company should identify training vendors that provide continual assessment services. Walls said that antiphishing vendors such as Wombat, PhishMe Inc. and PhishLine have become quite popular in recent years, not only because phishing remains a huge threat to enterprise security, but also because the vendors can actually prove the phishing-prevention training services work.
"They send you an email with a link in it. If you click on it, you fail and they kick you back into remedial training," said Walls. "Continual assessment is built into the fundamental nature of what they do."
Walls said he expects a great deal of consolidation among larger training vendors in the coming years. Some larger security vendors will look to make acquisitions so they can integrate security awareness training services into larger product offerings, he said, while vendors like PhishMe and Wombat have already established partnerships with other security companies. Antiphishing vendors in particular are likely to suffer, he added, as the uniqueness of their offerings is eroded.
Walls concluded that future market consolidation activity will be a positive for the industry, as training should be considered a legitimate, must-have enterprise security tool.
"If you are not educating employees about your policies, there should be no expectation that they will follow them," said Walls. "Enterprises should consider it basic hygiene, just like having antimalware on desktops."
Resident expert Joseph Granneman determines whether the gamification of information security training programs is a positive.