The cybersecurity team can be a challenging one for organizations to keep engaged and happy. Talent is scarce, turnover and burnout rates are high. That’s why employers have to keep existing teams engaged in their profession, and current on the latest threats and defenses.

To accomplish this, every organization needs a formal, standards-based cybersecurity training and education program for the employees responsible for securing their critical assets.

What are the key components of a training program? Whatever an organization’s unique circumstances, three major tenets must guide any training effort:

• Security is an obligation, not an option.
• Evolving technology and constantly changing threat landscapes require a long-term, agile commitment to security.
• Skills development should be measured for effectiveness.

Who should conduct training?

Corporate training is often led by Human Resources. But cybersecurity is a very specialized, dynamic discipline, requiring a focused, expert-led approach. If HR is in charge of training as a function, cybersecurity or IT leadership must be engaged and remain involved in cybersecurity training by assuming the responsibility of creating a curriculum that maps to its needs.

HR and cybersecurity/IT teams should decide together what areas of training and assessments are needed, as well as which cybersecurity team members should be trained and certified, at which point in their tenure, and for what applicable skill or domain.

What should the curriculum look like?

Developing a cybersecurity education curriculum requires that you start with a thorough assessment, which will uncover any needs that an organization may not have recognized yet.

An assessment should cover elements including which systems, platforms and applications are in place, which changes, updates and upgrades are planned, what data and assets need to be protected, and where existing security knowledge and skills gaps may exist.

In assessing training needs, planners must take care to focus on the organization’s needs – both immediate and long-term – and resist being pulled into irrelevant areas. Identify your organization’s most pressing needs and plan the training curriculum accordingly.

Further guidance on assessment and curriculum planning is available from the National Institute of Standards and Technology (NIST) 800-50 Framework. Guidance is also available from the U.K.’s National Cyber Security Centre (NCSC) and the European Union’s ENISA.

Get answers and insights to these questions and more during the (ISC)² webinar Protecting the Enterprise: 5 Components Needed for Cybersecurity Training on Tuesday, April 13 at 1pm EDT. 

Ways to approach training

Training from third-party providers is typically built around certification and certificate programs, and the development of specialized security skills. Industry standards training falls into three primary categories – vendor-specific, specialized skills like penetration testing and forensic investigations, and vendor-neutral certifications. Each has its rightful place in the program.

A comprehensive cybersecurity curriculum should include internal training components as well. To add to the knowledge gained through third-party programs, cybersecurity and IT security professionals should have opportunities to learn from their colleagues and senior team members who are familiar with the organization’s specific environments and practices.

Cybersecurity professionals can learn in a number of ways, including from senior team members with on the job learning from senior peers, mentoring programs or one-on-one sessions and classroom instruction. These are just a few ways training can happen.

Challenge even your most experienced team members to share their knowledge and present to their peers. This not only facilitates more knowledge sharing but helps hone communications skills among your team.

To learn more about how to create an enterprise cybersecurity training program, read our complimentary eBook, The Enterprise Guide to Establishing a Cybersecurity Training Program .