Training and ROI (Return on Investment)

I have given Cyber security Training many times so far – for variety of audience’s i.e.

• Industry sector – Manufacturing, IT Product or services
• Headcount – from 10 to 90
• Level – Security guard to CEO
• Ethnicity – Extremely varied.
• Countries – India, USA, Middle East

There are several reason why any company approaches for Information security training for their employees, staff, Technical Leads:

1. Either they had to face an information security breach incident (could be network hacking, web application hacking, phishing attack, etc.)
2. Senior management has proactive plans of business expansion involving lot of IT infra changes which needs their Tech Leads ready for managing it all along with cyber security.

I have heard a lot of times in past from our customers that we have done several information security training in past but its effectiveness is not as expected, how could you help?

Well mostly due to their several failed attempts in past they are reluctant to have an in-person training due to time and budget issues (mostly time, because in day-to-day operation getting all Tech Leads in one room is tough)

But we always enforce on doing in-person training's – otherwise there are several blogs, forums on internet where any company can manage to download and use all types of training material. In such case, how can a 15 min to 60 min presentation be effective if the person cannot relate to it?

Now, the person could not relate to it? This is one big jargon question tossed around by many experts out in market.

Let me tell what we do exactly (not differently) to ensure Senior Management gets expected ROI on their Training Programs:

1. We end up selecting the company based on its own willingness and reasons for conducting Information security training for their employees or Tech Leads.As it important to know that the audience is serious and genuine in wanting to perceive the training
2. Once the date of training is decided, a week prior I study each team, department within that company. Just to understand their industry domain, their day-to-day operations, if they have defined procedures I study those and try to get the mind map of that company fixed in my head ,meaning, what is the data that each team works on and how is the team's inter-dependency on other team's managed along with the data.
3. I start creating a thoroughly customized training deck for that company, for those teams and department. Step 2 and Step 3 are exactly what we are best at. In the presentation that I create it has crucial guidelines, security practices and Do’s-&-Don’ts particularly targeted for a specific team from the company in the audience.

Ex: Secure deployment cycle and guidelines for team of developers. Secure hand holding process to follow between DevOps and Developers Lead during deployment and post deployment.

Ex: Targeted questions and scenarios for Administration & facility team Lead for security ,specially, off-office hours and during weekends – we also try to educate Leads on preventive measures to follow to avoid POSH cases within company.

We basically achieve all this my creating deck that gets 100% involvement of the audience–

• First explain what information security means 'to that person' 'in his role' 'in that company' – Trust me these 3 underlines are very distinct and specific to a person because -

“No company’s business is same, no company operates in same manner”

– if these were same there would many Google, Apples and Tesla’s in the world. Each company has its own working environment compromising of its own IT infra-structure where people behave/work in certain defined manner.

• This last component is my personal favorite- as it adds a little humor in my training sessions. I start with most critical question – “Are you all able to hear me? Am I audible in the last row?” and the answer to these questions is always “No!” . So indeed I have to speak “very” loudly so that my audience can hear me – due this constant loud speaking my voice begins to crack (trust me it’s really funny – I myself have laugh at it). In-order to get myself a break I keep quizzes and interesting case-study scenarios in between the session – where teams think and I get to be quite! But this has actually made me realize that because of these case-study discussions teams get loosed-up and open-up for friendly conversations which has made many-many senior leads ,to come and talk about the real security concerns they face while managing the teams – this has 2 fold benefit in it

One: listening and understanding from their own Lead about her/his concerns in managing team members along with the inter-dependency (of his team) on other team makes them realize the reasons and gravity of why their Lead and Management wants to be so particular about information security. Which in turn has made teams to bond well together technically!!

Second: It’s interesting for me too as I get to listen to so many technical information security issues and attacks which no Gartner or OWASP has ever highlighted.

Summary:

So it is very much possible to get right ROI on Training – given that it is done understanding:

1. Why you want to train?
2. Whom you want to train?
3. For what is the training aimed for?