The cybersecurity industry has always been about managing risk, but the conversation around employee training has shifted dramatically in the last year. One of the major factors driving this change is the rise of cyber insurance providers, which now offer a product as essential as property and casualty insurance for most companies. Because cyber insurance is based on risk, the cost of the product and the cost of risk have become top-of-mind for business leaders.
As a result, the goal of cybersecurity awareness training has shifted from creating an educated workforce to reducing the risk associated with an uneducated workforce. While these may seem like two sides of the same coin, there is a critical difference: how success is measured. If the goal is to educate employees, success can be measured through tests that confirm whether the students absorbed information. If the goal is to reduce risk, success must be measured through changed behavior. It’s not what employees know, but what they do that matters.
Cybersecurity awareness training has always included two parts: knowledge transfer and changed behavior. While these fundamental components remain the same, the focus and emphasis have shifted. With the spotlight now on reduced risk, training providers must demonstrate how they change behavior and measure that change. Customers will demand proof of results, and training providers will need to deliver.
Some training providers are beginning to recognize this shift, but more change is on the horizon. As the industry evolves, customers can expect muddied messages, new descriptions of the product, and new ways of measuring training success. Those who make the most of the changing landscape will be those who remember that the two primary pieces of cybersecurity awareness training – knowledge transfer and changed behavior – haven’t changed. Providers who have produced the best results in the past are likely to have a solid starting advantage as the industry moves forward.
In summary, the conversation around cybersecurity awareness training has evolved in the last year, driven in part by the rise of cyber insurance providers. The goal is now to reduce the risk associated with an uneducated workforce, which means measuring success through changed behavior. Training providers must demonstrate their ability to drive results, and customers will demand proof of success. While the industry may be in flux, the fundamental components of cybersecurity awareness training remain the same.