Picture: PC Pro Magazine Issue 360
Rois takes aim at patronising cybersecurity training software – and the companies behind them that seem to think we’re all three years old.
Cybersecurity training is broken. Is it? Is it really, though? In line with the current trend to offer trigger warnings for almost everything, here’s yours. A highly uncontroversial difference of opinion will follow. If that doesn’t appal you, you’re one of my people, let’s get into this.
So here goes: cybersecurity training is not, in fact, broken. It’s worse than that.
For the statement “cybersecurity training is broken” to be true, it would mean that at some point in its short history that cybersecurity training had worked. I maintain throughout this article that the old-school traditional security training that we all know and loathe never worked. It was not then and is not now fit for purpose. I believe that businesses are wasting time and money. I think that the traditional training is so mind-numbingly tedious that it is having the opposite of the intended effect. Further, it’s contributing to the notion that cybersecurity or security training is for geeks, misfits and pedants and not for the business as a whole. And finally, that cybersecurity training is harder than splitting atoms with a butter knife.
I’ve written here before about the ham-fisted approach of using tantalising promises of bonuses in bait-and-switch corporate emails. This does nothing to improve the security of the business and everything to damage the trust and loyalty of the management that sanctions such actions. So while that’s part of the “olde worlde cybersecurity training”, I feel like we’ve been there before.
What’s really grinding my gears is the infantile, inane and idiotic security training programmes that staff all around the globe must endure. How do I loathe it? Let me count the ways.
1 Peppa Pig-style characters
Am I three years old? No. No I am not. Is your workforce made up of toddlers? Well, unless you’re operating an illegal sweatshop for minors, then probably not. I get the selling point, they want to make learning fun. But I’m not sure infantilising your workforce and requiring them to watch two-dimensional characters omit to lock a window is really the message you want to be landing with them. Saying “you’re brighter, smarter and more productive than our competition, we’ve selected you carefully and your time has value to this firm” is – oh, I don’t know – just a better corporate message for your teams. Treating them like adults says all of the above without saying all of the above.
While I decry the two-dimensional characters, there is a benefit to them. It allows me to highlight the lack of breadth and depth, not only in the childish imagery chosen by these overpriced providers of so-called training, but also in the content as a whole. If only every segue were as smooth. Bah-dum-tish.
2 The training content
If the visuals that accompany the training don’t make your teeth itch, how about the content?
This particular bugbear is a two-parter. First, when clients have asked me to evaluate training programmes they’re considering, I’ve consistently found errors and logical inconsistencies in every one I’ve reviewed. Trouble with this is that it’s Rubbish In: Rubbish Out and now you’ve essentially infected your workforce with bad information.
You’ll recognise the other bit if you’ve ever been required to participate in the absurd setups that these security training programmes compel you to sit through. You have the 2D character walking around a building. The character has an option to close the door or leave it wide open.
Do you close the door behind you and watch for tailgaters? Or do you say, “come right in, stranger”? You truly are on the horns of a dilemma. If you spot someone you don’t recognise, they’re not wearing a lanyard and are unaccompanied, there is in a “Pascal’s wager kind of way” no downside to assuming the worst. There. If you omit the bit about Pascal, you can get all that into your head in under nine seconds. Don’t make me come back and test you on this next year.
But why favour efficiency when you can torture busy people by drawing out a bloated animated scenario that the user cannot fast-forward? That’s right: introducing issue number 3.
3 Time crisis
Time is money. When a business tolerates lots of meetings with no agenda or output, pursues strategies that are untested or rolls out training that prohibits the user from skipping to the question, it is in my view a waste of the subscription fee to the programme, a waste of company time and a waste of corporate treasure. There, I said it.
But just so I’m clear, devoting time to continual professional development is, I believe, time and money well spent. But disabling a grown man or woman’s ability to skip through an elementary scenario to a test that a primary school child could pass is a waste of resources.
There’s one simple trick to accelerating this whole process and saving time, money and goodwill. Remove that excruciating time lock that prohibits the worker from being able to go straight to the test. In fact, what am I thinking, here’s a radical idea: why not just start with the test? If the user passes the test, skip the training.
Security training that’s designed more to test your patience than your knowledge, isn’t, at the risk of repeating myself, fit for purpose. If training was really doing the job it claimed, there is no way that people would be undertaking the same or similar training on a loop, year in, year out, like you’re captured in some hellish Groundhog Security Training Day.
We’ve all studied and passed tests, whether it’s school, on-the-job training or driving. While we may need to refresh our memories on details, we rarely (if ever) have to undertake the same training every year. Never mind retaking the test. Just to flesh out the details for this, and to give this point some context, according to official statistics, in the UK in 2022 nearly 30,000 people were killed or seriously injured on the roads. But only those who are demonstrably poor at driving need to retake the training and the test. So why is security training being positioned as more difficult for Joe Public than operating a machine that can kill or maim people? We’re allowed to assume that people are smarter than this training presumes them to be. Or, in the alternative, not so oxygen-deprived that they can’t be trusted to remember to close a door behind them without annual training.
While my trash talk about rubbish content sounds bad, I promise you it’s only going to get worse.
Cybersecurity training + GenAI
Recently, following a request from a client, I attended a meeting to evaluate a proposed alternative to its current security training provider. While I have made a decent case for not deploying traditional security training, replacing like-for-like with like-for-less helps no-one. So what was it like?
On the face of it, the firm presented the material in a more sophisticated way, providing access to large amounts of information. Because of the enormity of the task of reviewing the library content, I wasn’t prepared to check its homework. To accelerate the process, I needed to know the source of the content to ensure its credibility and that it could be audited, plus how frequently the firm updated its information. Did it, for example, have push notifications for changes to the course material?
Not only was the firm unable to answer the question during the meeting, it was unable to supply the information after weeks of chasing. Instead, framed in my office on the wall of shame I have a copy of an email from someone in that firm taking aim at my “academic” approach. Given that we were discussing training material, that’s not the burn he thinks it is. Checking the sources for sense is imperative because the last thing any business needs is course material thrown together by generative AI. We don’t need more content, we need credible, pertinent content.
NIS2 requirements
There’s a lot of legislation that will require management bodies to gain and maintain sufficient up-to-date knowledge to assume responsibility for the firm’s cybersecurity risk management measures. The long-standing “training” programmes in the security field have never and will never provide executives with the substantial knowledge required to meet their burdensome legal obligations.
But if there is some light at the end of this tunnel, it is this. The entities that fall within the scope will need to make available to their workforce “similar training” that the executives undergo. And this is where the really interesting material resides. It’s not just shutting that door, it’s learning about risk management measures that can be applied in lots of areas because the fundamental principles are the same. This is where the interesting material lives, and it’s only useful and of value to firms if it’s up to date and clearly referenced.
And breathe…
It’s not before time that we kick security training providers who treat the workforce as if they’re dumber than a box of rocks to the kerb. There is room for new firms that take security training seriously to emerge. These new firms will need to use effective interventions for the right people at the right time and not treat the workforce like they’ve just graduated from nursery school.
Article by: Dr Rois Ni Thuama
First printed: PC Pro Magazine, Issue 360, Dated 1st September 2024, Pages 116-117, ISSN 1466-3821, issue available from https://www.pressreader.com/magazines/m/pc-pro/20240901, Subscribe to PC Pro Magazine: https://www.magazinesdirect.com/uk/pc-pro-subscription/dp/8ce631dc
Reproduced here with kind permission from PC Pro Magazine.