Four cloud security training tips to power up your in-house training sessions

Jim Donnelly   ·   Tuesday, March 30th, 2021

It’s a common industry refrain that people, not systems, are typically the largest security vulnerability in any enterprise. Cloud security professionals even have a name for this vulnerability: The human attack surface.

“Your people are your assets, and you need to invest in them continually,” says Wesley Simpson, COO of Intrinsec partner organization (ISC)², in TechRepublic.

Similar to updating operating systems or computer hardware, companies need to keep their employees up to date or court disaster. “Most organizations roll out an annual training and think it’s one and done,” he adds. “That’s not enough.”

That’s because enterprises of all stripes are under siege by a battery of established and emerging cyber threats.

Accenture research indicates 68 percent of business leaders say their cybersecurity risks are trending upward, and that security breaches have increased 67 percent since 2014. IBM pegs the average cost of a breach at $3.86 million. Accenture also says the average malware attack costs enterprises an average of $2.6 million.

Most hacks and breaches aren’t even identified for several months (including this doozy, which we’re guessing you’ve probably read about).

It all adds up to a need to continually invest not just in cloud security infrastructure, but in your people, as well. “If you don’t get your people patched continually, you’re always going to have vulnerabilities,” adds Simpson in the TechRadar piece.

But it’s also worth looking at the type of cloud security training your employees receive.

Are all your various business units and regions on the same page and using the same terminology?

Did you pay a premium for one-on-one instruction to a solo employee who may end up leaving (and taking all that knowledge out the door with them) down the road?

Were group training options available?

Just how effective have your past training sessions been, and how can you improve going forward?

Depending on which training approach you’ve taken in the past, the answers may surprise you.

Which is why we’ve compiled a list of four of the most important cloud security training tips for successful in-house training sessions.

#1  Get multiple business units involved in group training

Training specific individuals at your enterprise is good and certainly better than no training at all but group training involving several people from multiple business units is far better, for a bunch of reasons.

Probably the most obvious is that a lack of trained cybersecurity personnel at your organization can put your entire business at risk, especially in today’s climate of seemingly non-stop cyber threats.

But in a general sense, whether you’re doing cybersecurity training or upskilling staff on the latest software, cross-departmental education and training can help break down silos between departments and business groups.

When groups learn together they tend to understand each other better and, by extension, work better as a team. They’ll develop empathy for one another as they more fully understand and appreciate the difficulties faced by other teams, building a culture of collaboration across the enterprise.

And in a relatively technical field like cybersecurity and cloud security, it’s also vital for everyone to use the same language and terminology.

Cross-departmental training can also boost team performance, according to the American Society of Association Executives, “as teams are pollinated with new ideas.” The ASAE also says this method of group training can help identify new team leaders while improving recruitment and retention.

Group training involving multiple departments also helps maximize training budgets (which we’ll get into further below).

You may think simply involving one or two people or groups and excluding others will save money on training costs, but that usually backfires. Other groups will eventually need training as well, and you’ll ultimately spend far more on one-off engagements.

#2 Involve a range of employees from various roles

Those responsible for cloud security, risk management, and compliance from different groups should of course always be involved in this kind of group training.

But it’s also important to include a healthy cross-section of your employee base, including employees not directly involved in IT security. An effective approach we’ve seen several of our clients take involves a range of different roles from various groups or regions across the enterprise.

Such a “cross-training” approach helps the enterprise and its employees in various ways.

While similar to the concept of group training, cross training goes even further by ensuring a diversity of skill sets among all your employees.

It helps mitigate risk for the business by ensuring a critical mass of your people are security savvy.

It improves your bench strength by creating employees who have “deep expertise in one area and a working understanding across disciplines, which gives them insight into the bigger picture,” according to IDEO CEO Tim Brown.

And it can help prepare lower-level employees for promotions or shifts into other areas of the business.

Additionally, this Deloitte survey of millennials indicates that being given the chance to lead combined with professional development training are big factors when evaluating prospective employers.

Whoever you decide should be involved, most training organizations offer foundational courses more suitable for everyday employees all the way to specialized certifications for security professionals.

#3 Take advantage of group and other discounts

Training budgets are tight at many organizations, but that doesn’t mean there aren’t creative ways to get a large number of your people and groups involved. Some training providers, such as (ISC)², offer member discounts if participants meet certain criteria.

Group training, as well, is a great way to realize volume discounts on training packages, although it should be noted that many providers place a cap on the number of trainees per group (often around 30 or so).

These group deals typically offer a range of services, including live training by an authorized instructor, training materials, access to class recordings, exam review materials, and instructor support.

You can also arrange with training organizations for custom group packages.

#4 Training doesn’t stop when the course is over (keep sharpening those skills!)

One of the most important cloud security training tips enterprises can learn is that employee training is never really complete, even for seasoned IT professionals.

Including an element of security awareness training during the onboarding process can help keep cybersecurity top of mind (everyone at your organization should at least know the basics, including how to handle email scams, to proper password security, to how to spot malware).

But even when your employees are up to date with the latest information, you’ve got to ensure they know how to deploy those skills when it counts or at least don’t forget everything after a few months.

Similar to how military units constantly drill to keep their skills sharp, enterprises can do the following:

• Don’t do “one and done”: Conduct regular training sessions ideally once per quarter, and at least a couple times per year.
• Consistently communicate: Keep employees abreast of the latest threats that could impact them and the enterprise via email, Slack, or other collaboration software (even posters in the lunchroom can work if your staff is back in the office).
• Keep ’em on their toes: Scheduling regular but not predictable live-fire simulations (that seem just like a real attack or phishing attempt) can be very effective at helping employees stay prepared. In real life, after all, people can fluster under pressure. The best way to avoid mistakes is practice.

Realize the benefits of cloud security across the enterprise with the right partner

Comprehensive cybersecurity and cloud security group training benefits your entire enterprise.

It helps your organization stay secure and compliant, minimizing downtime of mission-critical corporate systems and keeping customer trust intact.

It keeps employees “patched” with the latest security information while helping build a more security-focused culture at your organization, especially when multiple groups and employees can refer to the same training and use the same cloud security terminology.

Group training empowers employees of all stripes to branch out beyond their main skill set, driving better employee satisfaction and improving recruitment and retention.

But to truly maximize your cloud security training dollar, it’s also important to partner with the right provider. Intrinsec is North America’s top cloud security training company, offering a broad range of vendor-neutral training courses from foundational to specific certifications, including comprehensive training across the enterprise.

We continuously work with Fortune 1000 and large government agencies around the world to keep their IT teams (and other employees) up to date.

Because if you don’t keep your employees patched, it’s likely only a matter of time before someone develops an exploit for one of them.