Leadership optimize

Five IT training mistakes that alienate the audience

Training is still an important part of security plans and other IT initiatives, but it's not always welcome. Here are five common training mistakes to avoid.

IT departments are often charged with training other people throughout the company, whether it's to minimize data security risks, get people up to speed on a new system, or provide users with basic computer skills so they don't inundate the help with simple questions.

The problem: It's hard getting people to listen to IT training. It can be a drag just getting managers and employees to make time, and when they do show up to a session, the information often just goes in one ear and out the other.

What's the solution? According to some observers, the answer is to skip IT training altogether. For example, Dave Aitel, CEO of security firm Immunity, Inc., argued recently that user security training is a waste of time, and that all the efforts organizations have made to increase user awareness and education have done nothing at all to make companies' data more secure.

Other experts, though, say training is still an important part of security plans and other IT initiatives, but that IT should tweak its approach to training so the investment has more of a positive impact.

A good place to start is avoiding these common IT training mistakes:

1. Focusing too much on the company

Of course, the primary purpose of IT training is to help the company, whether by protecting its data or making sure users have the skills they need to stay productive. But if a training sessions focuses only on why it's important for the organization or its IT department, users aren't likely to pay close attention.

Instead, the information should be at least a little bit personal. For security sessions, that might mean offering tips on how users can keep their own data safe from cybercriminals, or telling them what effect losses due to data breaches might have on people's salaries. And, when training people to use an application, it's critical to point out why knowing how to use it properly will benefit them. Without those personal touches, it will be very easy for the audience to zone out.

2. Letting people think they know everything

In addition to short attention spans, one of the biggest obstacles to making IT training stick is some users' attitude they know everything and have nothing new to learn. That's especially dangerous when it comes to security education, as many data breaches have shown that even tech savvy users are vulnerable to making security mistakes.

One way IT can prove the point is by conducting in-house security tests - for example, IT can create its  own phishing scam and see how many users are fooled. Not only will that alert users to their own vulnerabilities, but the results of the test should also get upper management's attention and show them why security training is worthwhile.

3. Providing one-size-fits-all sessions

Even though everyone has something to learn, IT can't ignore the fact that some users know more about technology than others - and often, when people gripe about being forced to sit through a lot of information they already know, they have a legitimate complaint.

Therefore, for many training initiatives it may help to separate users into different groups based on their technical expertise and prior computer knowledge. That will help keep tech savvy folks from falling asleep during the really basic stuff, and prevent others from getting lost if the sessions move too quickly.

Also, it may help to group people based on job functions - for example, people with different levels of access to sensitive information might be better served by attending different training sessions.

4. Offering the wrong incentives

Some organizations attempt to get users to pay attention to IT training - especially security awareness - by offering incentives to people or departments that can demonstrate that they understand the information. That might include financial rewards for good security behavior, or penalties for violating policies and procedures.

However, a recent study from Harvard uncovered what the researchers say is a better approach to incentives: Offer a small reward up-front and then take it away of goals aren't met. The study looked at teachers' performance and found that people were more motivated to avoid losing something than by the possibility of earning a reward.

5. Choosing the wrong speaker

It's no secret that skilled IT pros aren't always the best at communication. But conducting IT training sessions requires both strong technical knowledge and the ability to convey that information in a way that is engaging and in a manner that users can understand.

If training is done in house, communication skills should factor in when choosing who will present the sessions. If there are multiple IT staffers with knowledge on the subject, some may make better trainers than others. Also, if the right skills are lacking, trainers could ask for advice from people in sales and others who are used to making presentations.

About

Toni Bowers is Managing Editor of TechRepublic and is the award-winning blogger of the Career Management blog. She has edited newsletters, books, and web sites pertaining to software, IT career, and IT management issues.

3 comments
hung1962
hung1962

You have some good suggestions here, but they are based on trying to make the best of an ancient teaching method (one teacher and many students) in a modern world where learning can be done personally. It seems to me we should think about how we can program something fun and interactive for students of all levels that teaches what we need to know in an efficient way. We can then go online individually when we have time to "take the class".

DNeale
DNeale

I observed this phenomenon many years ago while working in IT managerial roles. It became clear to me that paying bonuses to employees had short-duration benefits. They would initially respond with appreciation and some positive motivational changes. But, not long after the bonus was paid, behavior returned to normal or, sometimes worse. However, after employees have become used to receiving bonuses, not receiving a bonus -- even when the company was known to the employees to not be doing well -- becomes a huge demotivating factor in their job performance. And the negative effect seems to last much longer than the positive effect from receiving a bonus. So, if a company implements a strategy of regularly giving bonuses, management needs to realize that employees will come to think of a bonus as an entitlement, they will plan on receiving it, and will be very disappointed (to say the least) when they don't receive it. It's better to just reduce the amount somewhat and give them something than to not give them anything at all.

lhAdmin
lhAdmin

I usually start our security awareness training sessions by showing them how easy it is to access someone's webcam with a simple google search. That usually catches their attention. Then sprinkle in a few Facebook related security tips, etc. And voila, you have an audience listening to almost every word. And security training does work. I've had users who before the training would have fallen for a few phishing tactics. Instead they knew how to recognize a fake. If I'm able to prevent at least one person from downloading the latest fake antivirus crap, I've saved our dept at least an hours worth of time & aggravation.