2023 will see more focus on security training programmes that not only provide employees with an understanding of the risks they face but more importantly drive measurable behavioural change, says PA Consulting’s Richard Allen
- Richard Allen
Published: 27 Feb 2023
As we enter 2023, the pace of technological change continues to accelerate, the effects of the Covid-19 pandemic continue to transform the ways organisations and their employees work, and there continue to be huge shortages of cyber security professionals. Cyber security training has rapidly evolved in recent years, so what might 2023 bring?
Cyber security awareness training
Today’s hybrid working world where many employees have access to critical data at home and are using business networks through personal devices or infrastructure continues to create heightened cyber risk for employers. Given that research shows that about 80 percent of cyber incidents can be avoided by practising simple cyber hygiene, 2023 will see many organisations continue to increase their spend on cyber security awareness training. This will need to cover not only basic areas such as password strength, protecting themselves from phishing and identity theft, but also focus on how workers should share and handle confidential data.
But not all cyber security awareness training is the same. This year we are specifically likely to see an increased move towards those providers whose platforms deliver intelligent cyber security awareness education, personalised advice and nudges/micro training in response to individual actions. These approaches aim to balance technology, process and people to build resilient organisational security cultures. With an increasing ability to measure behaviour, this type of platform significantly advances both the delivery of security training and the measurement of the impact of that training.
Increased demand for professional certifications
Undoubtedly professional certifications make employees more attractive to prospective employers. As a result, some firms shy away from offering these to employees fearing that they are paying for someone to gain the qualifications needed for their next job. However, professional certifications can also play a key role in keeping security staff engaged and feeling like they have a future with the organisation.
Recent years have seen a proliferation of training providers and courses and it can be difficult to identify highly competent trainers and good quality courses. 2023, is likely to witness increased demand for industry recognised professional certifications from established training providers or for courses that have gained external assurance, such as those included on the NCSC Assured Training scheme.
A move back to the classroom
In the last few years there has been a sudden shift towards the online delivery of technical training, not least because of the Covid pandemic. While teaching cyber security online may seem like a logical extension of the digital age and perhaps the best way for people to learn, an increasing number of delegates are reverting to attending face-to-face training courses. This is particularly the case for those courses delivering a high degree of technical knowledge and skills. The reason may be as simple as delegates wanting a different experience from their day-to-day activities, but it’s more likely that face-to-face interaction with an instructor and other participants enables more effective non-verbal communication. Classroom training offers the ability to discuss, collaborate, and practice with a tutor on hand who can adapt the content and approach, resulting in a better learning outcome and experience.
Teaching technical cyber security skills to a wider audience
The global cyber security skills gap continues to be a challenge for many organisations. With the (ISC)2 2022 Cyber security Workforce Study suggesting 3.4 million more cyber security professionals are needed worldwide including 57,000 in the UK there is unlikely to be a quick resolution of this problem.
While many organisations have started to attempt to uncover and recruit diverse external talent in order to address this, the idea that just providing technical cyber security training to a narrow audience does not reflect reality. As a result, there is a growing trend for proactive industry leaders and organisations to provide a far greater number of their employees with this type of training. This also provides organisations with the opportunity to identify individuals with complementary skill sets who could move over to security roles.
Developing cyber resilience has become a key objective of many organisations’ cyber security training efforts. Understanding how to respond to, continue to operate during, and recover from an attack is paramount. That requires developing processes, exercising them and training the individuals who can carry them out, at varying and increasing levels of complexity. This enables the organisation to keep up with the latest threats and attack trends not only by securing against them, but also by preparing for them to happen.
Historically, many organisations saw training as an expense rather than an investment. Now many recognise the importance of cyber security training to build a cyber secure organisation. That means the year ahead will see more focus on cyber security awareness training programmes that not only provide employees with an understanding of the risks they face but more importantly drive changes to their behaviours that can be measured. At the same time, the requirement to build technical capability will accelerate across organisations as they help provide the training their workforces need to get out in front of the bad guys.
Richard Allen is a cyber security expert at PA Consulting