Cybersecurity training programs deployed in organisations are not effectively preparing employees for modern-day threats, according to Neil Thacker, EMEA and LATAM CISO for security software company Netskope.
Annual cybersecurity and compliance training programmes are now a lucrative business across industries. According to Cybersecurity Ventures, the security awareness training market was worth $5.6bn in 2023 and will surpass $10bn by 2027.
Thacker, who has over 20 years of experience in the information security industry and is co-founder and board member of the Security Advisor Alliance, claims that organisations need to add more human-centric prevention to their training.
“If anybody’s ever worked in an organisation, they will know there’s always that time of year when everybody has to go through and do their annual awareness training. Usually, they are listening to a computer-based training program to tell them what to look out for,” Thacker told Verdict.
Thacker used the analogy of road signs to explain his point: most of the time, drivers do not acknowledge traditional road signs with much attention. However, road signs with radar systems that tell drivers how fast they are going are proven to be more effective at slowing people down and keeping to the speed limit.
“That is what we need in cybersecurity, we need to show an employee, for instance, when they are about to do something that is a risk to the organisation or a risk to them,” Thacker said.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalData“Of that risk, we need to present it in a real-time kind of pop-up banner to say, look, what you’re about to do is high risk, we recommend you don’t continue or give them an alternative option,” Thacker added.
Real-time awareness and real-time education should be the cornerstone of all cybersecurity training, Thacker said, citing that 60% of all data breaches are due to somebody making a bad decision.
“If somebody is about to post highly confidential information into ChatGPT, for example, it may be a perfect time for a pop-up to appear and say, we’re going to stop you posting that information,” Thacker said.
Another disadvantage to annual cybersecurity training is the rate at which emerging threats are evolving.
“If I were to look back at last year, if organisations were doing this type of training in March, then they were unlikely to be talking about GenAI because it really exploded onto the scene around that time,” Thacker said.
“There was a huge increase, for instance, in the use of GenAI services from April through to September and then it kind of plateaued. If you had your training in the first half of year you completely missed that,” he added.
“Annual cybersecurity training is commonly given after the horses have already bolted—the stable doors have already flung open, so it is normally a little bit too late,” said Thacker.
The value of cybersecurity deals in the UK peaked in 2023, according to GlobalData’s Deals Database.
In 2023, the value of cybersecurity deals totalled $83.6bn, a significant increase over 2022, which saw deals total $47bn.
The value of cybersecurity deals witnessed a peak in 2020 with a total value of $64bn; this was an increase over 2019, which saw deals total just $12.4bn.