Toro-Blog-listing

Training without testing - Why you're wasting your training budget

Written by Gavin Wilson - Director of Physical Security & Risk | Apr 22, 2024 4:53:51 PM

It is a common fact; we love to train but hate to test.  

You spend time and resource organising training for your team, they attend the training, they might fill in a survey to get feedback, then just a few hours later it is back to business as usual and quite often the training is immediately forgotten. For the business they get a tick in the box that the training has been done, but when something goes wrong, they tend to ask why.  

Does this scenario sound familiar? 

We understand everyone is incredibly busy... it can often be a big enough challenge to just get employees to attend training in the first place... 

But think about it, if you are only ever providing training, then how do you know the effectiveness of what is being taught, and how do you know what they have been taught is or remains relevant? 

Training without testing is akin to sailing without a compass – you are investing time and resources without knowing if you are headed in the right direction. 

This is even more prevalent when you are talking about security training as your people are often your greatest weakness and security vulnerability. Therefore, it’s critical that you are continually testing what the team have learnt to make sure they have the skills required to be your first line of defence and those skills remain relevant to the environment they work in.  

This blog discusses why testing is so important to training, the critical things you need to consider when organising training and the types of security training you should consider.  

Before you start...

Businesses often excel at providing internal training without identifying either a reason for training or identifying the training gaps. Training is provided because we need to train, but without identifying the specific, measurable, and achievable goals for why we need to do it and for what purpose, it often provides a false sense of capability.  

Before starting any form of training, make sure it is relevant to the current business need and then baseline your teams' current skills and set goals. You will then know how much training is necessary to reach the desired outcomes and can also measure the level of knowledge retention. 

If you don’t know how to do this, there is plenty of ways you can get this information, for example if you want to assess your team's current level of susceptibility to cyber-attacks run a Phishing Email Test. This is a realistic simulation of a phishing attack, designed to mimic the tactics used by real cybercriminals. By analysing your employees' responses to these simulated attacks, you or a training provider can identify potential vulnerabilities and tailor the training approach accordingly to ensure maximum effectiveness.  

Why is testing vital 

Consistent testing plays a crucial role in pinpointing learning gaps and highlighting the necessity for remedial or supplementary training. By shedding light on these gaps, it promotes a culture of continuous improvement within your organisation.  

Moreover, testing serves as a litmus test for evaluating the efficacy of training initiatives. Without periodic assessment, it will be very difficult for you to ascertain whether the desired skills and knowledge are being imparted effectively.  

Important things to consider 

Whilst internal trainers are cheaper, they are often known to your staff and so the impact is lessened. External training providers are experts in their field and can help to bring the training to life, they are also continually learning from their array of clients. If possible, it’s also a good idea to consider doing your training in a totally different venue to get everyone in the right mindset and away from disturbances. 

When planning training make sure you are considering that people learn at a different pace as well as being receptive to different types of training; some of your staff will be visual learners whereas others are didactic learners and can absorb classroom-based training, but others can learn from a book – however, almost everyone needs practical exercises. There is no catch-all method in training but finding a good mix and you’ll get much better results.  

Should we test contractors?  

Beyond testing internal staff, it is prudent to assess the proficiency of contractors, especially those entrusted with critical functions like security. This ensures value for money and identifies potential training gaps that could jeopardise organisational security. 

Your service providers should be open to assurance testing – contractors who are not should be avoided as it demonstrates a lack of confidence in their staff and ability to consistently deliver their service. Assurance testing should be agreed with the contractor but conducted on staff without warning, so not only core contractors are tested, but staff with irregular hours, and new starters, are captured in the audit. 

What are the benefits?  

There is a vast number of benefits when training and testing is done properly. You will end up with a more skilled and confident workforce, it will significantly reduce your security risks, you’ll improve customer service, and you will also enhance workplace practices. 

The importance of exercising 

Incorporating practical exercises, such as crisis management simulations and first aid drills, can really help bring training to life. These exercises help to ensure that your organisational readiness to mitigate risks in real life and safeguard personnel. 

Security training should form part of a wider security assurance programme that will ensure your efforts and investments are wisely spent. Security dynamics are fluid and training needs to be relevant to all your threats and risks. Taking a blended approach to security training will enhance your organisations resilience to cyber, physical and people risks.    

We fully understand that training and testing is an up-front investment, but when done properly the return on investment is invaluable and often unlimited in potential. Remember the true litmus test of training efficacy lies in the ability to apply this knowledge when faced with a real-life scenario.  

What training does Toro provide? 

Toro offer a broad range of cyber and physical security training all of which can be tailored to your organisation's specific needs. 

Some of our popular training courses includes: 

  • Risk Management 
  • Travel Management  
  • Traveller Safety 
  • Cyber & Digital Hygiene   
  • Crisis, Emergency and Business Continuity Management  
  • Situational Management and Behavioural Awareness Training  
  • OSINT Training 

If you want to find out more about how Toro can support you with training and testing for your team, please email mike@torosolutions.co.uk and he would be happy to have a no obligation phone call to see how Toro can help.