{"id":210,"date":"2017-05-17T16:31:18","date_gmt":"2017-05-17T16:31:18","guid":{"rendered":"http:\/\/securitycurve.com\/?p=210"},"modified":"2017-05-17T16:31:18","modified_gmt":"2017-05-17T16:31:18","slug":"not-training-outcomes","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=210","title":{"rendered":"Not training… outcomes"},"content":{"rendered":"

\"\"<\/a>Today I came across an article from Harvard Business Review stating that\u00a0“The Best Cybersecurity Investment You Can Make Is Better Training”<\/a>. \u00a0Is it? \u00a0Is it really? \u00a0The economic return of training – i.e. the value for money associated with security training (specifically awareness training) is an area that I’ve been interested in for a long time. \u00a0Specifically, because it tends not to work well as a means to attain certain types of outcomes. \u00a0I’ll explain that in a minute, but let me start with the article itself.<\/p>\n

The article\u00a0makes some good points and it’s worth a read. \u00a0If you don’t have time to read it though, the salient point I want to delve into is this:<\/p>\n

The fact is, cybersecurity training is vastly undercapitalized, and the lack of investment in quality cyber education programs is manifest in the sheer volume of breaches that continue to be rooted in human failure…\u00a0In short, there will be some investment required in enhancing personnel readiness. But it can be cost effective over time, particularly when compared to implementing cutting-edge cybersecurity technology that may become obsolete. To be clear, technology is a critical piece of the cybersecurity puzzle, but just as with a car containing all the latest safety technology, the best defense remains a well-trained driver.<\/p><\/blockquote>\n

So, to be clear, let me start by saying that I agree with that… sort of. \u00a0Training absolutely is a critical component of a robust defense; it is also “woefully undercapitalized.” \u00a0Both true statements. \u00a0But is there a causal relationship between lack of training and breaches? \u00a0Are breaches a barometer of training efficacy? \u00a0I think we can say almost certainly that they aren’t. \u00a0Is training – on it’s own – “more effective” (or at least more economically efficient) than a technical control? \u00a0I think it depends on what you mean.<\/p>\n

My challenge with this though is that there are a few things implicit or presupposed here: 1) that the organization is effective at conducting certain specific kinds of training, 2) that the training itself is effective at accomplishing it’s goals, and 3) that there is a shift that occurs as a result of that training – specifically a shift in culture that self-reinforces after the training is complete. \u00a0In absence of any of these things, the training isn’t really a great investment. \u00a0Let me explain what I mean. Consider a problem like software defects in developed software. \u00a0What is the “best” strategy for attempting to improve that? \u00a0There are a few things you might investigate:<\/p>\n