Training is still an important part of security plans and other IT initiatives, but it's not always welcome. Here are five common training mistakes to avoid.
IT departments are often charged with training other people throughout the company, whether it's to minimize data security risks, get people up to speed on a new system, or provide users with basic computer skills so they don't inundate the help with simple questions.
The problem: It's hard getting people to listen to IT training. It can be a drag just getting managers and employees to make time, and when they do show up to a session, the information often just goes in one ear and out the other.
What's the solution? According to some observers, the answer is to skip IT training altogether. For example, Dave Aitel, CEO of security firm Immunity, Inc., argued recently that user security training is a waste of time, and that all the efforts organizations have made to increase user awareness and education have done nothing at all to make companies' data more secure.
Other experts, though, say training is still an important part of security plans and other IT initiatives, but that IT should tweak its approach to training so the investment has more of a positive impact.
A good place to start is avoiding these common IT training mistakes:
1. Focusing too much on the company
Of course, the primary purpose of IT training is to help the company, whether by protecting its data or making sure users have the skills they need to stay productive. But if a training sessions focuses only on why it's important for the organization or its IT department, users aren't likely to pay close attention.
Instead, the information should be at least a little bit personal. For security sessions, that might mean offering tips on how users can keep their own data safe from cybercriminals, or telling them what effect losses due to data breaches might have on people's salaries. And, when training people to use an application, it's critical to point out why knowing how to use it properly will benefit them. Without those personal touches, it will be very easy for the audience to zone out.
2. Letting people think they know everything
In addition to short attention spans, one of the biggest obstacles to making IT training stick is some users' attitude they know everything and have nothing new to learn. That's especially dangerous when it comes to security education, as many data breaches have shown that even tech savvy users are vulnerable to making security mistakes.
One way IT can prove the point is by conducting in-house security tests - for example, IT can create its own phishing scam and see how many users are fooled. Not only will that alert users to their own vulnerabilities, but the results of the test should also get upper management's attention and show them why security training is worthwhile.
3. Providing one-size-fits-all sessions
Even though everyone has something to learn, IT can't ignore the fact that some users know more about technology than others - and often, when people gripe about being forced to sit through a lot of information they already know, they have a legitimate complaint.
Therefore, for many training initiatives it may help to separate users into different groups based on their technical expertise and prior computer knowledge. That will help keep tech savvy folks from falling asleep during the really basic stuff, and prevent others from getting lost if the sessions move too quickly.
Also, it may help to group people based on job functions - for example, people with different levels of access to sensitive information might be better served by attending different training sessions.
4. Offering the wrong incentives
Some organizations attempt to get users to pay attention to IT training - especially security awareness - by offering incentives to people or departments that can demonstrate that they understand the information. That might include financial rewards for good security behavior, or penalties for violating policies and procedures.However, a recent study from Harvard uncovered what the researchers say is a better approach to incentives: Offer a small reward up-front and then take it away of goals aren't met. The study looked at teachers' performance and found that people were more motivated to avoid losing something than by the possibility of earning a reward.
5. Choosing the wrong speaker
It's no secret that skilled IT pros aren't always the best at communication. But conducting IT training sessions requires both strong technical knowledge and the ability to convey that information in a way that is engaging and in a manner that users can understand.
If training is done in house, communication skills should factor in when choosing who will present the sessions. If there are multiple IT staffers with knowledge on the subject, some may make better trainers than others. Also, if the right skills are lacking, trainers could ask for advice from people in sales and others who are used to making presentations.