Today I came across an article from Harvard Business Review stating that “The Best Cybersecurity Investment You Can Make Is Better Training”. Is it? Is it really? The economic return of training – i.e. the value for money associated with security training (specifically awareness training) is an area that I’ve been interested in for a long time. Specifically, because it tends not to work well as a means to attain certain types of outcomes. I’ll explain that in a minute, but let me start with the article itself.
The article makes some good points and it’s worth a read. If you don’t have time to read it though, the salient point I want to delve into is this:
The fact is, cybersecurity training is vastly undercapitalized, and the lack of investment in quality cyber education programs is manifest in the sheer volume of breaches that continue to be rooted in human failure… In short, there will be some investment required in enhancing personnel readiness. But it can be cost effective over time, particularly when compared to implementing cutting-edge cybersecurity technology that may become obsolete. To be clear, technology is a critical piece of the cybersecurity puzzle, but just as with a car containing all the latest safety technology, the best defense remains a well-trained driver.
So, to be clear, let me start by saying that I agree with that… sort of. Training absolutely is a critical component of a robust defense; it is also “woefully undercapitalized.” Both true statements. But is there a causal relationship between lack of training and breaches? Are breaches a barometer of training efficacy? I think we can say almost certainly that they aren’t. Is training – on it’s own – “more effective” (or at least more economically efficient) than a technical control? I think it depends on what you mean.
My challenge with this though is that there are a few things implicit or presupposed here: 1) that the organization is effective at conducting certain specific kinds of training, 2) that the training itself is effective at accomplishing it’s goals, and 3) that there is a shift that occurs as a result of that training – specifically a shift in culture that self-reinforces after the training is complete. In absence of any of these things, the training isn’t really a great investment. Let me explain what I mean. Consider a problem like software defects in developed software. What is the “best” strategy for attempting to improve that? There are a few things you might investigate:
- deploying a static or dynamic application testing tool to help find issues in code
- deploying an application firewall to block issues before they can be exploited (i.e. the code is still buggy but now bad guys can’t poke at it)
- Train developers on secure development techniques (ideally with supporting guidance about what the secure coding techniques are and how to employ them)
- Make process adjustments to how code is developed, enforcing a security-aware lifecycle throughout the development process
Which do you do? Ideally, a blend of a few or all of them, right? But what if you don’t have infinite money — how do you prioritize such that you get maximum return for what investment you can make?It’s not always training that’s the optimal strategy to meet your goals. At least not if it’s a time-bound, point in time exercise. There are a few reasons why this is true: attrition/turnover, changes to business processes, organizational changes, technology changes, etc. Meaning, it’s not like you invest in training today and Bob’s your uncle (not even “Bob” Dobbs)… It’d be awesome if that was true, but really it isn’t.
For the reasons above, training needs to repeat – probably with some regularity – to account for turnover, org changes, etc. It also needs to evolve: you also need to update it to address changing conditions. If you don’t believe it, check out the secure programming guide from 2003 compared to the current version of that same guide. Notice anything different? To be effective, it needs to be repeated (at a cost that tends to exceed the depreciation of a technical control) and it needs to stay current. Any value you derive from investing in a “point in time” training exercise decays over time – just the same way that the efficacy of a technical control decays over time through obsolescence (in fact, it’s faster). Anybody who has done anti-phishing exercises at their organization knows this firsthand.
The difference though is when the training is used to establish a self-reinforcing system or cultural shift. It seems to me that’s what the authors of this article are describing. Meaning, not a specific or isolated training event per se, but instead a campaign of training that leads to a specific cultural outcome and organizational mentality shift. In other words, the authors are describing an outcome (the cultural shift that can happen as a result of training) and not the training itself. Training is not an end; it’s a means to an end. What end in particular? Specifically, a cultural and mental shift in an organization along with competence development among staff relative to certain types of events (specifically, security incidents.)
The difference matters because, an outcome where the culture of the organization is different after some action is potentially self-reinforcing. Meaning, a culture of security and preparedness self-reinforces and tends to cause further decision-making of continual improvement. But that’s not “training”… it’s a cultural shift; it’s own thing. Can you accomplish a cultural shift with training alone? Sure, maybe. I wouldn’t try though. I’d use a combination of training, process and procedures to support the model along with maybe some supporting technical controls that help to reinforce good behavior.
In fact, there are numerous other ways to accomplish this outcome beyond training. Process adjustments, policy, tone at the top… even technical controls can play a role. So is training the “best investment you can make?” Really, I don’t think it is. The better choice might be investments in changing your culture – for exactly the reasons that the HBR folks describe.