Quality security training is a costly investment. Multiple-day training sessions are usually required for significant learning topics and are almost exclusively fee-based. And the fees are not the only investment. Key staff must be taken out of the field to attend the course, resulting in opportunity costs and lost work hours.
But our adversaries are not at rest. While not all attackers’ skills are on the bleeding edge, the threats we should concern ourselves with are dynamic, quick studies, and learn on demand. We need to keep up; we must make learning investments.
This article is about maximizing these investments, namely, how to get the biggest bang for your buck when investing time and money in training. I'll focus
(pun intended!) on my top 5 recommendations, in priority order.
The obvious temptation for trainees is to pursue the age-old lost cause of multitasking, trying to get the best of both worlds, or hedge their training bet by "just getting some quick things done" or catching up on email. Some of you will shake your head, thinking "Pssh, amateurs! I can focus on two things at once, I do it all the time!"
If that's you, turn off your ego and read what NPR
and The Telegraph
say ("Think You're Multitasking? Think Again
" and "Multitasking Is Scientifically Impossible, So Give Up Now
Still not convinced? Take the quick test Psychology Today
outlines in "The Myth of Multitasking
." This test conclusively puts the notion to bed.
Training events fully back those findings. Any trainer can tell you frustration-ridden stories of the outcome of multitasking. Frustration for the rest of the class when one person falls behinds and asks a question that was just answered. Frustration for the student that's confused because they missed something. Frustration for everyone when someone misses something important because they 'weren't all there.'
The biggest obstacle to maximizing training investment is students being unable to resist the draw that Internet-connected training tempts them with: email and browsers are a window away
. The only way to counter this is through focus. In some extreme cases, training administrators or management disable Internet or even local network access.
Another mental acuity-related issue is what I think of as 'turning off' during training. People very commonly adopt a 'lead me by the hand' mentality, whereby they seemingly forget everyday skills they already posses. The conversation goes something like this:
Student: "Hey, I got an error connecting to that system, is this thing broken?!"
Instructor: "Hmm, probably not. What did the error say?"
S: "I dunno, I ignored it."
I: "Try reading it."
S: "Okay. 'Unable to connect to port XX on host.' What does that mean?"
I: "What would you do if you saw that real world?"
S: "I'd think the system was down … oh, that service you talked about before is down [starts service] … now it works!"
That isn't to poke fun at people. (Okay, maybe it is a little, you know who you are!) The real goal is to remind people attending training they need to stay sharp. In a healthy, well-built training environment, students can self-help their way through most glitches and challenges by applying their existing skills, or even better, avoiding them altogether by focusing on instructions.
The only real way to solve focus issues is through discipline. Learners need to invest themselves by applying the discipline that got them to where they are in their careers. Discipline serves to counter the hidden danger of distraction by the training itself. It's counterintuitive, but student zeal and ADD can mislead a student to getting off topic while learning what's being presented or practiced.
"Hey, what's that thing do...?" 20 minutes and two topics later, the familiar refrain to all teachers: "Uhh, where are we?", probably whispered to a neighbor. Or in bolder, less apologetic examples, "Wait, go back, explain the last 20 minutes." Yeah, it happens.
Discipline is not only needed by students. Management needs just as much, if not more. An all-too-common culprit of disciplinary issues is the very manager that starts the class with a demand that their people "make the most of this and focus! Turn on out-of-office, don't check emails, no surfing. After all, we've spent a lot of money and are investing heavily in you, don't waste it!"
I've seen that same manager, in the real world, interrupt class less than an hour later. "Sorry, something important" and hand out taskers or completely remove one or more people. Yeah, that happens, too.
While it's easy for me, as a teacher and trainer, to extol the pious
virtues of focus and discipline, the reality is that I don't 'live' in 'the real world.' (All three definitions Google gives you from that link could apply here.) I live in a place I call "Happy Pretty Training Land." Where is this mystical place? Nowhere really. It doesn't exist. Maybe in some alternate string theory universe. It's a place where all parties are disciplined. And no crises occur.
"Hey, yeah, what about a crisis? What do you expect when that person in class is truly critical and something bad just happened that only they can fix?!" Yes, that happens, too. I will not tell you the correct answer is to deal with it and pretend we're in Happy Pretty Training Land. After all, the whole reason there is a class is to help the organization improve through personnel investment. This, of course, does not negate the need to 'keep the lights on.'
It does, however, lead us to tip #3.
Prepare the team for trainee absence to help minimize distractions. Effective preparation requires the whole team's attention. Reschedule meetings as necessary, organize backfills with backup personnel, brief collaborating teams on the expected disruption, and plan for workarounds where backfill isn't necessary.
The hardest part is not just giving lip service to preparation. Work at it and commit to finding ways to help your learners stay focused.
Furthermore, only register qualified students for the class. Most training has pre-requisites, experience, and knowledge students are expected to already have. A major source of distraction and class interruption is a student that isn't ready for the topic. Coordinate with training providers and the instructor when there are knowledge and skill gaps. They can tell you if the student should even attend or if there's a possibility to fine-tune the content or apply workarounds.
#4 changes tracks a bit and offers some real, neuroscience-driven advice for students. Pause for reflection time whereby a person considers previous experiences to see where the new stuff fits in. Your mind can only absorb so much, and, naturally, after many continuous hours of learning, most people reach a point of diminishing returns where comprehension breaks down.
During breaks in instruction and at the end of the day, spend some time thinking about what you've just learned and see how it fits into your world. See Don Clark's excellent (and well-cited) explanation
for some history and implementation tips.
Similar to reflection, I also recommend some downtime where you aren't thinking about the material or any other mentally challenging topics. Have you ever had that "a ha!" moment when you realized the solution to a problem at a time you least expected when you weren't even working on the problem
and were even sleeping?
Albert Einstein, Aristotle, and Salvador Dali were known to use power naps. Fast Company
's Drake Baer writes
about the value of the "just beginning to dream" hypnagogic state. (Dali called for less than a ¼ second; read about Dali's interesting life hack for preventing too much sleep in Baer's article.) 20 minutes or more of sleep results in that familiar mental grogginess scientists call "sleep inertia" that require time to be fully alert.
Try some reflect time and downtime.
#5 furthers the discussion by calling on you to fully realize your investment by following up with some focus on the subject in the days and weeks after class. Spend follow-up time refreshing on training topics and exercises to maintain, or, better yet, enhancing what you've learned with new skills and knowledge.
Practice skills you picked up in class. Look through the labs and lectures and ask yourself if they make more sense now. Then reflect and think how the content meshes with your world or doesn't. Formal training content is often a one-size-fits-all proposition, so some of it might not work for you.
Don't get stuck in Happy Pretty Training Land! Find what does and doesn't work, and then think about how you could achieve your team's expected results. Think about how you might apply what you've learned to solve new challenges no one has even identified. Think about how you might use what you've learned to tackle issues that aren't even in the scope of training or your organization's reason for sending you to class.
Tech skills are use-or-lose. Don't drop the ball after class by forgetting what you've learned.
Now tie it all together. You've committed valuable time and financial resources to training; make the most of it by applying these tips. Cybersecurity is too important to not
put our best foot forward.