Moving from Cybersecurity Training to Learning

Companies publish reports on their ESG (environmental, social, and governance) efforts, workplace safety and employee well-being, and data privacy and security. However, when it comes to cybersecurity, businesses today need to make an effort to go beyond the training and reporting requirements. 
In a recent article for ToolBox for B2B, Shaun McAlmont, CEO of NINJIO, had a chance to share why and how companies need to embrace cybersecurity learning. Lesson one? Understanding that there is a clear difference between training and learning. 
Training is an input that provides information about a company’s cybersecurity priorities, while learning is an output that demonstrates how effective the company’s cybersecurity training platform is. Companies must focus on cybersecurity learning – evidence that employees can put their training into practice and keep the company safe from real-world threats.
Here are a few ways Shaun says leaders can ensure cybersecurity learning is really taking place in your organization:

Get stakeholder buy-in at every level of the organization. Cybersecurity initiatives can encounter resistance from company leaders responsible for managing costs and productivity. It’s essential for cybersecurity advocates to reach out to skeptical colleagues and address any concerns about cost, efficiency, and other factors that concern managers and department leaders who may be less familiar with the long-term benefits of cybersecurity training.

Develop rigorous metrics to track the success of your cybersecurity awareness programs. As companies dedicate more of their budgets to cybersecurity, they should invest in analytical tools that will help them track concrete outcomes and ensure that their resources are being put to good use. This trend will only pick up momentum as company leaders discover that a cyber-aware culture is indispensable to protecting their data, networks, and systems.  

Use evaluative tools to determine whether employees are capable of putting what they’ve learned to use. When managers deploy microlearning content such as cybersecurity training videos, they can quiz employees to ensure that they remember the key points. Phishing tests also help to determine if employees can identify one of the most common types of cyberattacks (a recent PwC report found that 43 percent of companies have increased the employee report rate on phishing tests). 

When it comes to cybersecurity, a superficial approach simply won’t work. Companies have to assess their cybersecurity capabilities honestly, proactively educate employees on avoiding cyber threats, and determine whether their training programs have their intended effect.