If you wake up one day and have found yourself at the intersection of Human-Cybersecurity-Risk-Management Avenue and Learning Management System Boulevard, you already know it’s a busy place with a ton of traffic. Look both ways before crossing the street.
Humans and technology: We use it, we love it, and we connect with it. We use it professionally, and socially, and everywhere in-between. Unsurprisingly, as these lines have blurred, we find ourselves in a situation where we enjoy almost limitless access to an amazing mish-mash of digital stuff across seemingly countless devices. (Don’t get me wrong – It’s good to know that both the notes from last week’s engineering meetings and Aunt Ester’s pot roast recipe can be transported to my cell phone on a Slack Channel.)
Limitless access to technology is good, but it can be risky. There are bad guys out there, which poses as a downside to open technology access. These people can profit financially, politically, even militarily.
Meanwhile, some folks have roles as the cyber gate-keepers of information. They defend data with tools like encryption and firewalls. They fight the good fight, quietly in the background, turning away countless attacks, and are rarely recognized for their efforts. (Have you thanked your cyber guardian today? If you’re the cyber guardian, we applaud you. Keep up the good fight.)
Another role with a slightly different spin, finds us working the same problem from a different angle, called “human cyber risk management”. Those who have these roles offer training for individuals to be harder targets and better data stewards. Often this management or training involves a careful balance between convenience and attention, as well as what should be shared and what should be left private.
The tools for cyber-training your learners can be gathered in a few big buckets; training, simulation, and delivery. Choosing the right training and simulation packages is important, of course, but let’s focus on a reality that many cybersecurity training program managers face: the delivery of training via a Learning Management System (LMS).
Understanding the role of the LMS
A Learning Management System is an application used to plan, deliver, and track training. It also helps to assess learner activity and aggregate reports to produce an overview of training effort results. Depending on the platform capabilities and content presented on the LMS, the training could consist of some mix of computer-based training (CBT), video modules, games, simulations, and so on. Essentially, the LMS your organization uses helps you get the right training to the right people and measure the results.
Why use a Learning Management System? The Good, the Bad, and the Ugly
In the security awareness business, we see an LMS used in just about every kind of way.
The good: Those who have shiny, next-gen SaaS products with sleek web interfaces, and deeply integrated to HR talent management systems, or even those that have been carefully built or customized to perfectly address your organization’s unique needs.
The bad and ugly: Some organizations are still using crusty, well-worn versions of Moodle (an online, open source platform). They'll drag it out each year to do annual compliance training – updating nothing, both interface and training as unconvincing at doing its job as you are bored in assigning it.
The good news is that if your organization is already regularly utilizing an LMS, it could make your job easier. If the setup, logins, people, and conventions around using the company system are well established, you can focus on building and deploying your training – even if the system is a little well-worn.
Getting the Job Done Right with Your LMS
Before launching an awareness training program on your LMS, take some time to get to know your system first. Remember this simple goal: “Get the right training to the right people.” While the definition of “right” might change depending on your security program’s maturity, you still need to cover some basics. (If you'd like to learn more about program maturity and how to benchmark it, we've detailed The Security Awareness Maturity Model© in the 2018 SANS Security Awareness Report. It is the key measure of program impact and success, as established by the level of measurable human risk that can be mitigated by changing end-user behavior.) While most awareness programs have a few things in common, there are some common LMS-focused questions you need to address first:
1. How do I get training onto this thing?
No matter how you slice it, getting training content onto your LMS may seem challenging, especially if this is one of your first ventures. Fortunately, LMS platforms are designed to help with this job once you understand a few facts.
Almost all systems, even the older ones, are typically based on a few industry standards such as SCORM, AICC, or xAPI.
- SCORM stands for Shareable Content Object Reference Model. It’s a set of technical standards for e-learning software and is the most popular standard in the industry.
- AICC actually is an acronym for a governing body: The Aviation Industry Computer-Based Training Committee. Way back in the 90’s, this committee designed the first e-learning standards for learning management systems. Even though it’s an older standard it’s still fairly popular.
- XAPI (or TinCan) was developed more recently, in 2011. The American Development Learning group of the U.S. government created another standard, with the initial nickname “Tin Can” but officially released as the Experience API (or xAPI). It’s the newest of standards.
These standards or specifications are simply ways training companies and training tools package up video, documents, gamified content or other types of learning material so they will work with systems. Match up the training’s standard with the LMS, and you should be all set. To learn more about the history and use of the standards check out this article by Brian Westfall.
2. Where can I get cybersecurity awareness training content?
When it comes to getting the content, you have a few options. You could build it in-house, assuming you understand the relevant security topics and content or have the skills/resources to build it. I should note, that covering relevant security topics is important, but they do change regularly depending on the most current threats and attacks.
You’ll also need the tools to package it up and deploy it onto your LMS. Some larger companies have access to this type of tech and talent. Truth be told, we often see organizations attempt to do it and find they only partially address the security training they require; many companies take a run at it and only end up going a different way. I myself, at one point in my career, was found standing in front of a whiteboard with a video camera pointed at me while talking about the necessity of using VPNs to access some services on our network. It was ugly, and I was happy to drop it and look for a more “professional” solution.
You could buy training content. There are a multitude of vendors that can supply a variety of topics and present them in a variety of ways. Personally, I’d recommend having an in-depth understanding of your program goals before you go shopping. Some vendors offer a dizzying array of content while some keep it simple. Before getting caught up in the options, just remember your mission and try to keep training in the 15-30 minutes per year range. Remember that every minute counts, the effectiveness of the training matters, and presenting content that is “cool” only helps if it helps meet your program objectives. If you need help on this, we’ve created a short guide with a companion checklist to help you pick the right awareness training vendor.
3. What about the stuff that is unique to my organization?
Keep in mind that, even if you search, find, and select the ideal training for your organization, you will likely need to add a little local flavor to fit your corporate culture and needs. Work with your LMS people and see how you can incorporate your local cyber and acceptable use policies into your training cycle. Most LMS programs will have some way to do this, but it can sometimes get a bit wonky. Getting help from your experts will help ease the process and help you get a more customized training program.
4. How do I manage all my people (trainees, learners, users)?
Assuming you now have put together the training program that fits the goals and needs of your organization, you’ll need to work out who to give that training to. Many programs focus on compliance goals to make sure “everyone takes some basic package of essential cybersecurity training.” More mature programs do a better job of training alignment to audience and supplement the basics with additional training for people in certain roles. For example, they may decide to take the HIPAA training out of the “core” training and give it only to individuals in the HR areas or make sure that PCI training is only delivered to the people that handle credit card data. Neither program is strictly “better”, per se. They simply reflect different goals and maturity levels for your program.
They also require different representations of people in your LMS. If you are going to assign training to those HR people, the system will have to know who is in HR. Dig in a little – almost all learning management systems have role or grouping capability. Ask questions, research your departmental structure thoroughly if your training individuals are already using them, all the better. We will talk more about program maturity, why it matters, and when to go there in another article.
5. What about Security Awareness Tips or Hacks?
One key to a successful security awareness program is to work with your leadership. If it’s your CISO, your CIO, your VP of risk management, HR lead, or whoever is ultimately responsible for your security program, chances are everything will go much smoother if you have their support. Don’t assume because they said “go do this” that they will love the outcome, measures and rollout of the program you’ve created. Have them preview the packages, understand the program schedule, and buy into the strategy.
When you pull the trigger and send training to hundreds or thousands of trainees on your LMS, you are going to want leadership to know that it's likely that some of them will react less than enthusiastically about having to take the training. Let your exec know that some will say it’s not necessary, it takes too long, and that they already know this stuff. A word of advice. Get ahead of this; forewarned is forearmed.
When it comes to zeroing in on the specific awareness training content your organization should have, your best first step is to ask around. Research is your friend here. Get some guidance from your IT security department, do some surfing and ask your vendors. There are also some fantastic security awareness communities chock full of people running these types of programs. Get some advice, get involved. Jump into a LinkedIn Group, or follow some pros around on Twitter (blatant shout-out to my colleague, Lance Spitzner, who tweets about this regularly), maybe check out Bruce Schneier or Brian Krebs. Keep up on what’s what in the security awareness world. These forums are full of the latest hacks, strategies, and issues. (Hint: shoot one to your boss every now and then.)
Lastly, dig in on your metrics. Reporting systems vary widely on LMS platforms, but anything you can show about the impact of your program will help your leadership (and you) understand the value of the training. Remember, helping leadership communicate the value of the program around and up the chain will pay huge rewards down the line for your security awareness program.
Summary – Crushing Security Awareness with Your LMS is TotallyDoable
Let’s review. Your LMS may be ugly, but it may also be your friend. Someone, somewhere knows it, maybe even loves it; go and find them, bring them coffee.
Chances are, your LMS already knows your organization and holds the people you want to reach. Sort out your training priorities, the “who needs what” questions. Keep in mind that if you are trying to make a difference, this is a long fight – you don’t need to win in round one. Your leaders matter, and they matter big. Many awareness programs eventually reach every single person in the organization and can thus be a source of serious pain or a point of pride for your boss; loop ‘em in early and try to make sure they get “it”. Talk to your peers, your security folks, and connect with the greater community.
You aren’t in this alone. You may just need some cyber-savvy friends in your corner to find LMS success.