Once your company has made the decision to conduct security awareness training, the next big decision is whether to do it in-house or outsource it to a professional training company.
The decision should be driven first by your business needs, the scope and type of training required and, as always, your company's available resources and their costs.
People and purpose
First, determine the purpose of your training and your audience. Is it to meet compliance standards, such as Sarbanes-Oxley Act (SOX), or because you feel things should be tightened up because of recent security incidents? Is it to correct unsettling behavior among your staff, or poor information security hygiene? Or is it an effort to be proactive and avoid the negative publicity of a breach?
Also consider your audience. Are they corporate executives, middle managers or lower-level staff? This will determine the type of training, and whether it should be in-house or outsourced. Each audience has different needs. Executives want to be educated on why they should spend money on information security, how it impacts the bottom line and how it can be sold and marketed as a company feature. Managers at all levels, whether in the middle or not, have the same concerns but, in addition, need more focused training on the business case for security and, since they're closer to the everyday employees, a few tips themselves on safe information security practices.
Your staff, on the other hand, is very diverse and has a correspondingly different range of needs and interests. The bulk of your non-technical workers will need bread-and-butter IT security awareness training on best practices for safe handling of data, such as keeping sensitive customer information confidential, proper disposal of documents containing such data and protecting their own personal information and equipment, like passwords and laptops.
Secretaries and support staff need to be educated about social engineering, since they're the prime target of intruders trying to break into the premises to steal corporate secrets or customer information. Technical staff will want more nuts-and-bolts stuff, like hands-on training in safe coding practices and network configuration.
Will a PowerPoint do?
The next factor is size of the intended audience. If your target group is the entire company -- maybe because of a compliance mandate -- and you need to train thousands of employees, the outsourcing route might be easier. Many large companies have corporate training departments that negotiate with outside trainers. Depending on licensing and copyright rules for the vendor's materials, sometimes they can train your staff to teach their materials, saving you the cost of travel and lodging for their trainers.
Besides compliance, some companies require completion of annual corporate security awareness training as part of performance reviews for their entire staff. Another way to blanket a large enterprise is through Web-based training. This can be outsourced at a reasonable cost; no live trainers necessary and affordable training packages are often available. Plus it can save your training staff the headache of having to create their own materials.
On the other hand, a large company with a well-staffed information security department and a small or specialized target audience can manage in-house training with existing materials at a low cost. They can put together a PowerPoint presentation for the non-technical masses about the evils of social engineering, safe handling of customer data, password best practices, spyware avoidance and the company's information security policies.
Here's a rough rule-of-thumb for figuring out a break point between staying in-house or going out. Assume a sample course length of a day and a target audience of two hundred employees in classes of twenty five each. Three in-house trainers can probably cover the entire crew in about a week. For audiences larger than that, go outside the company, especially if the training is less technical and more business oriented.
Security awareness training tactics
Here are some options for outsourcing your security awareness training and things to watch out for:
For targeted programs for your technical staff on safe coding practices and secure network configuration, companies like Symantec Corp., Microsoft and Cisco Systems Inc. sometimes offer tailor-made one- or two-day presentations. They don't advertise these services, but will put something together if approached and given the right parameters. SPI Dynamics, which develops software for scanning Web applications, also does on-site training.
Besides the cost of their presentations themselves, watch out for licensing fees and other hidden costs. Check whether a package can be purchased once and then reused and taught by your staff. Sometimes they require their trainer -- flown out at your expense -- to conduct all classes with their materials. Fees vary for these programs, especially since they're tailor-made and not prepackaged or off-the-shelf standard products and services for these companies.
For broader security awareness training, choices abound. The Security Awareness Company (Interpact Inc.) offers both live and Web-based training involving role-playing and simulation games, including one modeled after the TV show Survivor. Another company offering a variety of formats, from videos and Web-based training to live trainers, is Easy i. It bills its training as totally customizable and constructs tailor-made programs only after doing a thorough analysis of a company's needs. The company also offers off-the-shelf products in 26 languages.
Native Intelligence, another training company, offers Web-based training that can be customized with a company's own logo. The materials are regularly updated and are ideal for a large organization needing to educate all its employees on an annual basis -- and certify it -- due to compliance.
There are also many smaller, lesser-known vendors. As with any other product or service, make sure to get a demonstration and sample materials before making any commitment.
A general rule then is that it's often wise to outsource training for larger groups and more broad-based training needs, but smaller, more specialized groups should be trained in-house, if you have the resources to spare.
About the Author:
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP in developer security, specializing in Web and application security, and the author of The Little Black Book of Computer Security available from Amazon.