Last week I started a new series in security awareness training on how to communicate your awareness program. Even once you identify the most effective security awareness topics for your organization, you will not have an impact unless you effectively communicate those topics. Last week I broke down security awareness communication into two categories, primary and reinforcemnt. Today I would like to focus on primary. The purpose of primary training is two fold. The first is to communicate your program to new hires, contractors or other individuals who are not security aware and do not know company policies. The goal is to make sure everyone is on the same baseline (kind of like basic training in the military). This is often an annual program. In addition the tracking of primary training is often required for compliance purposes, to demonstrate to auditors that everyone is trained. In general the two most common methods for primary training are
On Site Workshops: This is when organizations provide onsite training, usually an instructor led presentation. Training is usually one to three hours long. The advantages of onsite training is it can minimize costs and if you have knowledgable, dynamic speakers it can be one of the most effective means to communicate. There is nothing more exciting then having a highly interactive presentation that gets both speaker and audience working together. The problem is On-Site Workshops do not scale well. If you have 5,000 or even 50,000 employees spread out around the world who will do all the speaking, how will you coordinate getting all these people into rooms at certain times, and do you have the facilities? In addition, you either need dedicated speakers who travel around the world, or you have multiple speakers in multiple locations. The challenge then becomes having high quality instructors that can communicate a consistent message. If you have the resources for onsite workshops, it can be one of the most effective means for primary training. The challenge is usually one of scale.
Online Computer Based Training (CBT): While CBT cannot create the interactive environment that an onsite workshop can, its greatest advantage is that it allows organizations to scale. Employees can take the training when they want, even from home. This ensures you can reach more people, and since the training is online you can easily track who took what training when (important for compliance). In addition it is simpler to ensure you communicate a consistent message to everyone, you can even translate the content so that message is communicated to employees in their native language. You also do not have to worry about locations or facilities, as you no longer have to physically bring speakers and end users together. Interestingly enough, three organization I have worked with in the past six months have also taken the extra step of making their CBT training available to employee families.
Each method has its advantages and disadvantages, which approach is right depends on your organization and your requirements. I have seen some organizations use a combined approach, where onsite workshops are used, but then online training is provided for employees who want to take it again or missed the onsite.