Industry insights

How to design the best cybersecurity training program for your enterprise

David Strom
July 7, 2021 by
David Strom

One of the best ways to retain your staff is to invest in their further education and what is now called upskilling. But corporate skills training often has a hard time getting the respect that it deserves. Training budgets tend to be the first ones to be cut in any economic downturn and often don't get fully funded even when the economy is improving. But training can also have a significant impact on an enterprise: it can increase the pool of available skills, help pave the way for a department to take on new challenges, improve morale and create a sense of purpose for workers.

There is an additional factor when it comes to cybersecurity: the number of unfilled infosec positions is enormous and presents an opportunity to bring in new talent to close the gap. shows more than 30,000 cybersecurity job openings, and LinkedIn has more than 77,000 openings in their databases. Plus, the gap is widening: according to the U.S. Bureau of Labor Statistics' Information Security Analyst's Outlook, cybersecurity jobs are among the fastest-growing career areas nationally, with a 31% growth rate through 2029.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Let's look at how to determine the return on any training investment and how to design the right program that fits your particular needs.

The benefits of training

Before you can measure ROI, you first need to calculate how you will measure the benefits. There are three different kinds of metrics you can combine to use in your evaluation:

  • Awareness metrics: How many people participated in the program, how many graduated or completed the training and where do they fit in the corporate organization chart? Does this meet or exceed your expectations?
  • Adoption and retention metrics: Can you move the needle and measure some positive effects for your training efforts? Are there more certified security engineers as a result of your program? Did you retain the staff you expected, or did they find better opportunities at other companies?
  • Business metrics: You need to tie the training to your actual business results, such as net gain in sales or profits. Is there more search traffic to your corporate home page? Or a faster breach response? Make sure you are clear on what business requirements are important in your evaluation.

One way to measure these benefits is to invest in a learning management system (LMS). This is a good choice if you will be developing many courses internally and want some consistency in how they are delivered — or if you're going to blend in-person and online instruction across the enterprise.

These tools have various features that can help you develop your online courseware, track student progress and set up discussion forums, tests and other supporting elements. A good place to start to vet these kinds of providers is in this 2019 review by PC Magazine, a list of 10 LMS vendors and a detailed feature comparison.

The costs of training

The cost to conduct a training program depends on the type of program you design (see below for the major training modalities available), the logistics of managing the trainers and the students, and how often the curriculum must change to meet changing cybersecurity circumstances.

Enterprises also need to compare the costs of training existing staff with the process of hiring new employees. Training is usually much less expensive, especially if someone on staff already knows a parallel technology and needs to brush up on something new.

Finally, is your program only going to train a particular department, or will it be offered across the entire corporate staff?

Several different ROI calculators can be adapted to compare costs and benefits. They can also help you understand details you may not have thought of including. Two of them are from eLearning Industry (more nuts and bolts) and iSpringSolutions (more academic).

Training modalities

Once you have an idea of the costs and benefits, there are four different general training modes.

1. You can use several free or inexpensive college-style online courseware providers, such as Coursera, EdX and UdacityThe advantage is that they have solid curriculums and pre-made cybersecurity offerings and are suitable for smaller budgets. The downside is that you are locked into these offerings. Even though some of these providers offer more hands-on or practical exercises, it may not be as much as you desire to prepare your staff for the actual working conditions.

2. You can use a vendor-backed certification program, such as those offered by Microsoft, VMware, Cisco and others. These have the same pros and cons as the collegiate courses, but they usually have more hands-on components since the vendors want you to learn how to use their particular products. However, your security product portfolio might involve multiple vendors, making this advantage moot.

3. You can choose one of the cybersecurity industry organizations that offer certifications. We will discuss in our next blog post the various providers and options here. Certificates are easy to vet but are "just one data point in evaluating the worthiness of a training program," says Tom Hart, the COO of Eliassen Group, a major IT staffing operation based in the Boston area. "It isn't where or how someone has been trained, but what they really retain and how they apply that knowledge to their job's daily responsibilities."

4. You can develop your courseware internally or combine some of the classes from the above providers along with your in-house instructors. This is probably the most expensive option, but if you have specific circumstances that the outside vendors don't cover, it may make sense. Justin Ferriman, a learning and collaboration consultant for Accenture, estimates that each hour of delivering a particular training class will take 100 hours to develop.

Also, if your corporate culture is more onsite-oriented, you will want to examine those industry providers that offer in-person training.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.


Tom Hart, COO of Eliassen Group

Information Security Analysts, U.S. Bureau of Labor Statistics

E-Learning ROI Made Easy, Justin Ferriman

The Best Online Course Platforms for Business, PC Magazine

David Strom
David Strom

David Strom is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as IT security, VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 30 years. Over the course of his editorial career, he has helped launch dozens of Web sites, including the DesignLine series (such as for CMP's Electronics Group). As the founding editor-in-chief for Network Computing magazine, he hired a staff of 20, established the magazine's six networked laboratories, designed a network-based publishing and production system and wrote many articles on networking topics. From 2016-19 he created and curated the content of the Inside Security newsletter.