Training: it’s one of the best investments for yourself or a team. Even though it’s super important, I often see training not making that big of an impact on employees. They might get that new certification or complete a course, but have they changed? Has the TEAM grown? In some cases they have, but not as often as I would hope. When it comes to training I equate it to a gym. You might go there to work for specific reasons like developing a certain muscle, building up stamina with cardio, or just losing weight. But what happens when somebody gets a gym membership? It sits there, maybe used for a month or two, but they slowly stop going. According to some interesting statistics from International Health, Racquet & Sportsclub Association, “12% of all new gym memberships happen in January (2020)”, but “Most gyms lose 50% of their new members within 6 months (2020).” So people have good intentions but don’t follow through.
How are gyms trying to combat this decline? Well, this article describes gyms trying a couple of methods, summarized below. https://financesonline.com/gym-membership-statistics/
- Offering group classes can help member retention as it motivates members to participate in fitness programs. 85% of fitness club members visit their facility twice a week to engage in group classes, while 43% visit 4 times a week for the same purpose (AFS Fitness).
- Fitness club members in the UK are more likely to stay if they are part of group activities. Forty-eight percent of members went to the gym to attend one group activity, while 32% attended two, and 20% participated in three or more group activities (TRP).
- Other factors that can help increase member retention are location and quality of equipment. Fifty percent of members said they continued going to their gym because they liked the location, while 38% said they kept their membership because they thought the equipment is worth it (CreditDonkey, 2020).
I find this interesting because one of the main things gyms try to do is create group classes. I believe group classes do three major things: hold you accountable, make you part of a community, and help find motivation from others.
- Holding yourself accountable – If you signed up for the class with friends or a group, you don’t want to let them down. You’ll make an effort to set aside time for this class because you know that they might wonder why you didn’t make the last one.
- Being part of a community – When part of a group you’ll have similar interests. Sure you take that yoga class together, but maybe several of the people are interested in spinning so you take a class together for that, too. Then maybe some enjoy riding their bikes on the bike path. Being part of one group might open up sub groups with similar interests and make you more likely to stick to group activities.
- Finding motivation from others – Some days you don’t have it; you’re tired, the kids kept you up, you had a flat tire, and work just isn’t going your way. While you’re in your class you might hear of other people’s troubles and see how hard they’re working to achieve their goals. This might be enough to motivate you to keep trying and stick with it.
Group classes sound wonderful, but we all know being around others or having a community doesn’t automatically mean you’re going to succeed. But I believe it makes the chances better.
How does this relate to security training? I see companies give out a subscription to Cloud Guru, TryHackMe, Pluralsight and that’s it. No follow up, no group activities. Just like gym memberships, some people might use that platform for a while, but it drops off, or some people just never use it. It’s unfortunate because companies might spend a lot of money on training, but they never facilitate a community to help their employees succeed.
Another thing I see is picking a training platform for a specific purpose or offering little hands-on training. Cloud Guru is great for cloud services, but what about the red teamer of the group or the person that is really into digital forensics? They will definitely feel left out and not interested. I believe Pluralsight has some fantastic training, but it’s just videos. You want your employees to grow and, just like with a gym, you need to actively do something, not just watch TV.
My solution is the “Security Club”, which would be very similar to a book club. Start with a diverse platform that would offer a variety of beginner and expert labs to choose from, on several topics including digital forensics, incident response, blue teaming, red teaming, and more. (TryHackMe is a perfect example.) From there, you can make a virtual area in gather.town or discord (just a platform to share screen and voice chat). On a weekly basis one person from the group will pick a lab to do. Everybody in the group has a week to complete the room and in the following week the lab is reviewed. This is an opportunity for people to ask questions, explain issues they had or celebrate their accomplishments. After the lab has been reviewed thoroughly, another person will be chosen and will get to pick for the group. This will continue week after week. Just like a gym with multiple types of classes, maybe after time you can make a red teaming club where everybody gets an account on Hack The Box and work through those. Maybe make a blue team club where people get a subscription to blueteamlabs.online. It can grow and expand over time if that’s what the group is interested in. I believe starting with a very diverse platform first is key, though.
The idea is to keep the group engaged, accountable and working as a team on problems. Especially in a remote workforce environment, things like this need to be done. I don’t believe giving somebody a $5k+ course is the solution to leveling up your employees or creating a better team. More effort needs to be focused on the group mentality and evaluating how things are going, and being willing to change if it’s not going well.
Editor: Emily Domedion