Most security training providers have basic analytics for performance and attendance, and they call it data. But how do they prove that training is actually working? Without the right workforce and training data, CISOs and security leaders run the risk of missing critical skills gaps that can consequently slow innovation projects and increase cyber risk.
Whether auditing your current solution or evaluating a potential new program, here are four essential data points that every CISO should have from their security training provider:
- An Actual Skills Baseline
- Midway Status Report
- Exam Readiness
- Performance Growth & Final Evaluation
An Actual Skills Baseline
A little bit of pre-work can go a long way in creating a successful cybersecurity workforce development plan. As with any strategic plan, it’s important to have a clear understanding of where you are at present in order to map out where you need to go.
Take stock of the current, forthcoming, and desired security functions and the necessary skills for each role. Next, most importantly, is understanding your team’s current competencies and skills gaps to establish a baseline. This can be accomplished through knowledge and skills assessments to help guide training roadmaps that target those gaps and provide a definitive marker to measure against once you implement training. More on that later in the article.
Midway Status Report
See if these sound familiar.
Bootcamp training offers little to no visibility for leaders on employee performance and engagement throughout their certification training. Bound by strict teaching structures and literally no progress data, trainers are unable to accommodate and leaders are limited in their ability to intervene if employees are underperforming.
On the flip side, some video subscription training providers have more visibility through basic analytics that captures content usage and video completion rates, but lack the ability to measure whether employees are actually learning from those courses. If they’re not, there’s little guidance on what’s needed to course correct.
A fully comprehensive training program must have and measure more than attendance and usage data to ensure training is on track. Moreover, it should constantly review progression so it can adapt quickly to individual or group needs. Insights should include engagement metrics plus performance analytics from homework, quizzes, task-based activities, and practice exams.
Be sure to ask questions about what insights are provided to gauge progress, and remediation tactics to ensure employees receive the most support to be successful. For example, are there options such as 1:1 instructor office hours or additional content to get individuals back on track?
Exam Readiness
For most certification prep courses, the only metric to demonstrate preparedness for a certification exam is a Pass/Fail score after training is already over. If the outcome is unfavorable, your training dollars are spent and you’re a credential short. But this doesn’t have to be the case.
Find a training program that combines basic engagement metrics with performance analytics from knowledge checks, quizzes, task-based activities, and practice exams to determine an employee’s exam readiness. You can then allocate exam vouchers to individuals who meet the desired performance threshold, saving money on retake attempts.
For one organization, that savings was $90,000, just by using predictive analytics in their certification training. This organization suffered consistently poor pass rates with their bootcamp model, and consequently, high costs for exam retakes. After enrolling 200 individuals through an alternative, data-driven solution, they were able to predict with 95% accuracy who would pass the exam on the first try.
Performance Growth and Training Evaluation
This should be a given. The most important question that training providers must be able to answer is, “Did this make you better at what you do?” As noted above, a skills baseline provides a strong metric to evaluate outcomes as compared to goals set at the beginning of the engagement. Based on the results, you can build a long-term training plan or apply the data to a greater workforce development strategy.
Look for providers that offer a thorough analysis of performance growth, delivery, and content tracks, in addition to recommendations for continuous improvement.
Final Thoughts
You will not be able to fix everything at once, but prioritization matters, especially when it comes to the most expensive resource you have: your teams. It’s amazing what you can accomplish in your cybersecurity program with the right data to measure, analyze, and prioritize the things you need to advance.