Every organization wants to keep its employees’ cybersecurity skills up to date, but for many, the cost of advanced formal trainings can break the budget. At the SANS Institute, for instance, considered by many to be the gold standard for professional trainings, courses can cost more than $5,000 per person. At high profile conferences like Black Hat, even one- or two-day sessions can range to close to $4,000.
But those aren’t the only options out there. In fact, experts say, there are plenty of high-quality ways to boost security skills without breaking the bank. Their suggestions fell into two broad categories: making use of your own internal resources to ensure that cybersecurity knowledge is shared throughout your organization and finding low-cost external resources, either in addition to or as part of your internal efforts.
How internal training can deliver
When we asked cybersecurity pros where to find low-cost or free training, one answer came up again and again: look within. Your own organization almost certainly has a wealth of security knowledge, and your employees can help train and educate their coworkers.
“The first resource any company should look towards is its own people,” says Attila Tomaschek, a digital privacy expert at ProPrivacy. “Internal cybersecurity experts can offer incredibly valuable insight into what an effective training regimen should consist of, as well as lead training sessions and answer questions from participants. Taking such an approach can be immensely productive and cost-effective at the same time.”
For some, the idea of internal training as free or low-cost may ring some bean-counting alarm bells. After all, your employees are not free: you pay them, and the time they have to dedicate to their jobs is finite. But by deploying internal resources, you avoid the upfront costs of paying for expensive training sessions or courses. And cultivating an internal security training culture has other benefits, both tangible and intangible, as well.
Formal training programs. There is a wide range of ways you can implement trainings and knowledge transfer internally, depending on your company size and capacity. At MongoDB, an internal “security champions” program permeates all departments within the company, says CISO Lena Smart. Champions volunteer to participate and “are the conduit through which business units can discuss security needs, issues and requests,” she explains. Champions attend monthly security meetings, help educate their teams on security matters, and are expected to dedicate two hours a week to learning more about current security issues.
Cost is difficult to quantify, says Smart, but she believes that the investment is worth it. “For example, a security engineer hosting a presentation about network security best practices provides value to the champions while also making the engineer’s job easier, since champions are likely to share and implement what they’ve learned during that session.” The program has buy-in from top execs, and now has a full-time employee in charge of it.
That said, MongoDB is a fairly large company, with around 2,900 employees; obviously a small shop or startup couldn’t support a program like this. But we spoke to several other IT pros who described less formal ways in which employees at companies with fewer resources can help keep each other’s skills up to date.
Knowledge sessions. Deepak Gupta, co-founder and CTO LoginRadius, describes how he approached this problem in the early days of his company: “We had a small and not very experienced team, and it was essential for them to learn and grow. If the team was lacking some specific skills, we used to do weekly sessions to overcome that specific knowledge gap. The key here is the team should be willing to learn and adapt. We were successful building the team with this approach.”
Jason Vigh, Cybersecurity Manager at 1898 & Co., says his company also uses these kinds of semi-formal presentations to train workers. “These ‘lunch and learns’ create an open forum for collaboration on various cybersecurity topics,” he says. “This allows not only senior-level members to share their experiences, but also junior-level members to discuss their personal research on various topics and solicit feedback from more experienced employees to validate the concepts they may have been researching or learning.”
One-on-one mentorship. Along these lines, our experts urged companies to take advantage of opportunities to pair up senior and junior employees to help transfer skills across generations at the company. “We’ve done both formal and informal job shadowing with great results,” says Marlys Rodgers, CISO at CSAA Insurance Group. “Last year, we brought on a completely non-technical resource from our servicing area and she’s now driving our phishing campaigns, metrics, and data analytics. We are now focused on job rotations and internships to leverage our experienced resources and their knowledge, and the result is extra hands to help while learning on the job.”
Presenting and contextualizing publicly available content. There’s a wide variety of security-focused content out there available free of charge, ranging from blog posts to webinars to podcasts. A lot of that material could be useful to technical and nontechnical staff alike—and it’s up to internal IT security experts to separate the wheat from the chaff.
“I have been sharing podcasts with my employees,” says Sebastian Schaeffer, CTO and owner of dofollow.io. He’s a particular fan of Unsupervised Learning with infosec expert Daniel Miessler, and Darknet Diaries hosted by cybersecurity pro Jack Rhysider. But he emphasizes that making use of that material involves more than just sharing a link. “You, as the in-house IT expert, have to help contextualize the content and help people extract the main takeaways,” he says. “But it is entirely possible to instill cybersecurity best practices into people without IT backgrounds simply by providing them with access to conversations with leading experts.”
Looking outside for nuggets of wisdom
As Schaeffer makes clear, you’re going to need to pull information and resources from the outside world to truly upskill your IT department and keep your larger employee base up-to-date on cybersecurity.
The wider world is full resources you can draw from, if you know where to look.
Online courses. There are plenty of free and low-cost resources out there, and several sites and courses came up repeatedly with the experts we spoke to (see the sidebar for a list).
These offerings can be integrated into internally run cybersecurity training programs, delivering well-designed courses to employees without putting a big dent in departmental budgets or requiring someone in-house to dedicate time to developing a course from scratch.
Jordan Muariello, CSO at Critical Start, says that his company makes use of both Udemy and edX to train their staffers. “The Harvard CS-50x Intro to Computer Science course on edX is a great introduction to programming fundamentals,” he says. “Additionally, instructor Jose Portilla of Pierian Data Inc. has his Python courses on Udemy for a very affordable rate. Both courses are essential as we progress analysts into being able to conduct code analysis, and eventually learn software reversing on their way to malware analysis.”
Vendor resources. Lovisa Stenbäcken Stjernlöf is the Okta Practice Lead at Devoteam Cloud Services, a Swedish consultancy. “We of course use the training resources of the different partners that we resell,” she says. “But that can actually be a strategy for others too. Many product companies offer their trainings for free, and they usually also include more general cyber security knowledge as well.”
John Roman, president and chief operating officer at FoxPointe Solutions, concurs. “Companies including ESET, Crowdstrike, and Symantec frequently offer free webinars and discuss relevant topics and training around hot cybersecurity topics,” he says. “Monitor for these sites and take advantage of additional learning opportunities.”
That said, he emphasizes that you approach such resources understanding that they are part of the vendor’s marketing strategy. “As best practice, there should always be a vetting process with vendors,” he says. “Before inviting a vendor to present a training session, a company’s CIO or CISO should vet the presentation or materials to ensure 95% is educational and 5% a sales pitch.”
Learn from the mistakes of others. Often, security breaches eventually become a matter of public record, especially if the affected company is in a heavily regulated industry. The reports put out by regulatory bodies on these breaches are a great resource for helping your infosec team understand real-world cybersecurity issues. “By understanding where others have fallen short, we learn from events where others have not been so fortunate,” says Simon Backwell, information security manager at Benefex, Ltd. “The best thing is that there is no cost apart from the time and effort that the individuals put in to listen to or read these resources.”
Meetups and networking. Our final bit of advice: there is no greater resource for infosec knowledge than your fellow infosec pros. That means you should be encouraging your employees to network with cybersecurity professionals outside your company, and you should be doing the same.
Adam Fard, founder and head of design at Adam Fard Studio, urges you to look for meetup groups near you. “While meetups are less structured than conferences and group memberships, they nonetheless provide an excellent chance for learning and networking,” he says. And, he adds, “If you don’t live near a large city with in-person meetups, there are clubs that conduct virtual events to ensure you don’t miss out! Because meetups are often free, they provide a wonderful opportunity to learn from seasoned cybersecurity professionals on a budget.”
In the end, one of the greatest benefits you can get from your wider professional network is the inside scoop on where to find more free and low-cost trainings. “Last year one of my goals was to find a couple different training courses that would improve my work as a defender in the detection space,” says Amanda Berlin, lead incident detection engineer at Blumira. “Of course there are thousands of people that sign up for BlackHat classes as well as classes at other conferences, but those came at a high price. It was during that search that I found some other conferences, including Wild West Hackin Fest, based out of South Dakota.”
“At first I was hesitant: how could the courses be any good when they weren’t charging a large amount for them?” she continues. “But after a while, I started to hear back from other people in the industry and their first-hand experiences taking other courses as well. There were a few specific courses that kept on crossing my path in recommendations—including some from WWHF.” Ultimately, she was very satisfied: “For the price (around $500-$600 a piece) they have all offered a huge amount of information and hands-on learning.” And the fact that she found her way to them testifies to the power of community.