Cybersecurity awareness training has always, at one level, been about risk. Whether you subscribe to the notion that employees are your first line of defense (they're not) or that employees are your last line of defense (there you go), it really can't be argued that employee behavior plays no role in the risk facing an organization. This statement is true whether we're talking about cybersecurity or construction site safety, but the last year has seen a dramatic change in the ways that companies talk about, think about, and act on the connection between risk and employee training.
One of the strongest drivers of this change has been the role of cyber-insurance providers in the cybersecurity industry. Cyber insurance is now seen as a product as necessary as property and casualty insurance for most companies. And since cyber-insurance companies charge for their product — a product based on risk — the cost of that product, and therefore the cost of risk, has bubbled to the top of the business conversation topic list.
A New Goal
Today, the goal of cybersecurity awareness training is less about creating an educated workforce and more about reducing the risk of an uneducated workforce. Those might seem to be two sides of the same coin, but there is a critical difference: how success is demonstrated. If the goal is to produce an educated workforce, then assessing training success can come through tests that ask questions about the lesson just taught. The key is finding out whether the student gained information from the lesson.
If, on the other hand, the goal is to reduce the risk of an uneducated workforce, then assessing training success must come through a demonstration of changed behavior. The issue is not whether the student acquired information but whether the student puts that information to use to behave in a way that is less risky for the organization. Put simply, it's not what the employees know but what they do that matters.
The New/Old TrainingCybersecurity awareness training has always been a two-part educational service. The first part is knowledge transfer, while the second part is changed behavior. The new goals and new conversations don't change that fundamental makeup, but they do change the emphasis of the process and how it is thought of throughout the organization.
With the emphasis shifting to reduced risk, the spotlight is on changed employee behavior. Customers, then, will force training providers to discuss how they change behavior (and measure that change) rather than how they engage employees or keep employees' interest over the length of a training course. Many companies will frankly not care how a training product works as long as it produces the desired, measurable change in risk.
Some training providers are beginning to recognize the shift and more change is on the way. During the training evolution, it is likely that the industry will see muddied messages, new ways of describing the product and new ways of measuring training success. Customers who make the most of the changing reality will be those who remember that the two primary pieces of cybersecurity awareness training haven't changed — the training providers who have produced the best results in the past are likely to have a solid starting advantage as we move into the future.