Making Training Better
It's easy to overlook internal training and it's importance. We've all sat through new employee orientations at client sites or jobs that all kind of boiled down to the same old stuff. "Talk to these people if you need that thing, don't get set on fire if the building is on fire, and the bathrooms are right over there." Even worse, once people finish sitting through that slide deck that was made sometime around the time the company started, they're often sent off to security awareness training that uses that weird stock image of the guy in a ski mask while using a computer. By the end of their first day or two at work, people have been hammered with a bunch of useless slide decks, probably handed a few printouts, and sent on their way to wander the building to try and find their next meeting.
Let's face it: training isn't sexy. Even as someone who has written and given training, I know that the majority of the training I give is forgotten as soon as people walk outside the doors of the training room. So when I read this article from the New York Times about Apple's internal training, I was really interested. It seems that Apple has managed to create a training program that's not only so interesting that the NYT will write about it (although that's partially due to the secrecy surrounding it), but also training that was still being discussed a year later by people who had presumably been in the class.
So what is Apple doing that is so interesting with this Apple University that keeps people talking about it long after they've left? Well, there's a few things that jumped out at me. First, they're making sure that classes are releveant.
...employees sign up for courses tailored to their positions and backgrounds. For example, one class taught founders of recently acquired companies how to smoothly blend resources and talents into Apple.
Relevancy is huge when giving training. Tech employees don't want to waste their time getting training on accounting systems any more than an HR employee doesn't want to sit through an explanation on how the network works.
Second, Apple is using examples that resonate with people. Apple is a company that seems to value minimalism, and their culture tries to reflect that. Since most people are familiar with that idea, the example of the remote with 78 buttons from the "What Makes Apple, Apple" class is an excellent object lesson on what not to do, and is almost comically far away from the way that Apple tends to think. As a result, people chuckle about that slide going forward and it sticks in the mind.
So how do we work similar things into InfoSec training? I'm going to borrow from one of the great talks I saw at BSidesLV this year, and say that we have to make training relevant. Casey and Emily gave a great talk in the Proving Ground called "Pwning the hapless or How to Make Your Security Program Not Suck" that spoke to exactly this when looking at security awareness. Likewise, it's so incredibly tempting even as an instructor to write training programs that do a great job of presenting information, but not making it interesting. A humorous example of a guy stealing a laptop or people evading a company firewall can help people better understand some of the risks involved with their actions, and it will also help to make a story stick in peoples' minds longer.
Obviously there are a lot more things that Apple does to make their training great, and in the same way there are tons of things that people can do to make their own training better for employees. These are just a few points that jumped out at me with some of the things that I had seen lately. Training, and in particular security training is near and dear to my heart, and I love seeing examples of ways that training can be made a little better. Do you want to sit through another PowerPoint presentation being read to you? Because I sure don't. Better training is better for everyone.