Learning and training are two terms that are often used interchangeably, but do you know the difference between them? If you run GDPR and security training in your organisation, it’s important to make sure that your training encourages long-term learning. In this post, we break down the difference between learning and training. We also leave you with plenty of hints about how you can encourage a culture of learning within your organisation, so that you can take your security to the next level.
Table of contents
Learning vs. Training
Here’s where we say the uncomfortable truth: that learning and training are not the same. You can pay for somebody to train your staff about how to avoid phishing emails, but simply attending training doesn’t translate into learning or remembering new information. With IT security training for employees, the goal is for staff to learn to be aware of cyber security threats and best practices - but they don’t have to be experts. Understanding the difference between learning and training can help you design a training program that works. So, let’s talk about why training and learning are not the same thing.
Training teaches skills
Training is an activity, and it’s even one way that learning can happen. Good training leads to learning, which can then lead to positive changes in staff performance. In the most basic sense, training is the process of giving somebody new information so that they can acquire a new skill. It’s usually used to teach people the basics of how things are done, like all the onboarding you do when you start a new job. Training will give people specific skills that they can apply in the same situation over and over again. It also only requires passive engagement from the attendees, like showing up at a meeting or clicking through an online module.
Learning changes how we think
Learning is different from training because it requires active engagement. This active engagement allows people to absorb and retain new concepts and skills, so that they can be applied in the future. Learning also alters how we think about the world around us. Because of this, when we learn something new, we can apply that knowledge to future situations that might differ from the material we were first taught. Since the IT security threats we face are always changing, learning is extra important when it comes to cybersecurity.
Remember that learning and training are complimentary and training on its own doesn’t automatically guarantee that learning will happen. Learning also comes in many sizes, and you don’t have to be an expert in IT security to have learned something from security awareness training. In the next section, we’ll talk about how you can increase learning in your organisation.
How to transform your training into long-term learning
Sitting through training, either online or in person, isn’t enough to produce learning. For learning to happen, people have to be engaged. They have to believe that what they’re being taught is valuable and relevant to their lives. Does your training meet these criteria? If not, we are here for you! This article contains a lot of tips you can use to improve your training so that it leads to long-term learning. And if you are craving even more tips, feel free to check out our blog post with 11 tips for awareness training.
Get support from management
The first step is to have support from your organisation’s leadership. This might sound like a no-brainer, but you may be surprised how many IT security professionals struggle to get their organisation’s managers to prioritize security.
So, getting support from management is a good place to start. When leadership values something, it is much easier for all levels of the organisation to also value it. Ask yourself:
One way to get buy-in from management could be to create a risk analysis that shows the consequences and risks of not training your colleagues to be aware of security threats. This can help you demonstrate why security should be a priority within your organisation.
Department managers count, too
This applies to both the top managers and the managers of individual departments. Having support at every level matters. It also shares the responsibility of IT security more evenly. For example, instead of the IT team always following up to make sure staff complete training, this could be done by the department managers.
There are many other ways you can measure how supportive your management is when it comes to security, and you know your organisation best. With management’s support, everything else will be much easier.
A lot of training uses a top-down structure. There’s the person teaching, who does all the talking, and then there are the people being trained. They are expected to listen and can ask questions at the end, but sometimes that’s it. Sounds boring, right?
Adding a cooperative element to your training helps everybody learn better. Making training cooperative means that instead of the scenario above, where the trainer is the owner of all of the knowledge, people can learn from each other and share their own experiences. This sounds much more interesting, and the interactive element helps people remember what they have learned.
Here are a few ways you can make your training more collaborative:
Set aside time at team meetings for people to talk about IT challenges, tips, or questions
If you do in-person training, make time for small group discussions throughout the lesson
Foster an office culture where security is a normal part of the conversation. Our free GDPR and cybersecurity posters are great conversation starters
Cooperation and collaboration are great because they get people more engaged, which primes them for learning. This type of learning environment can encourage dialogue between colleagues about how to solve data and IT security challenges, which leads to greater awareness.
Make training relevant
The more specific and targeted the learning material is, the more people will take away from it. It’s so much easier to remember something when you have a real-life example of how it could happen. That’s one reason why sending simulated phishing emails is an effective way to train your employees to recognize phishing attempts.
Examples of adding relevance
How you make your training more relevant depends on what kind of learning you use. For example, if you use e-learning courses like ours, you could send out your organisation’s guidelines and people to contact with each new course. Our platform also allows you to add material for your users to see next to their courses. With this kind of online platform, you can keep all your IT security courses and documents, like an Acceptable Use Policy or employee handbook, in one place.
If you use in-person learning, you could ask people to share their own experiences with the topic or highlight a time when your organisation experienced a related threat.
Be a good trainer
This is where all your great skills really come into play. As somebody responsible for GDPR and security training in your organisaiton, you are a big part of how the learning goes. Imagine a teacher that you had, who you really liked, and try to emulate some of their best qualities. For example, here are a few things you can do as a trainer to encourage learning:
Be supportive of others. A supportive guide makes us so much happier to learn about IT security. Remember that your colleagues aren’t experts and give them encouragement when they make progress. This way, you’ll encourage their learning and development.
Challenge your colleagues to grow. We usually have to be pushed a little bit outside of our comfort zone to really learn something. You can challenge your colleagues to become more aware, but make sure not to push too hard or be too demanding. Phishing test emails are one way to encourage learning by challenging if your colleagues can detect the signs of a phishing email.
Keep an open mind. Mistakes are going to happen, and when they do, it’s important that you keep an attitude of openness rather than blame. An open conversation about what went wrong can help somebody learn from their mistake, instead of repeating it. Also, when blaming and shaming happen after a mistake, people are more likely to keep errors to themselves instead of reporting them. This could cost your organisation in the long run because security breaches become more expensive the longer, they take to resolve. You could even consider an anonymous reporting system so that people feel comfortable bringing up security problems.
You can also read about how some of our customers run their training programs, and what they do to encourage learning in their organisations.
Make time for conversations
Having open conversations about IT security is something you can see in many of our recommendations. The reason is that it works! Normalizing talking about security, either among colleagues, or between the IT team and a colleague, makes your security culture stronger.
How to keep an open dialogue going
One way to foster dialogue is to be open to answering questions after all new training events. You could set aside “office hours” or allow people to email you questions that you answer at the next company meeting.
Some of our customers hold sessions with their staff every time a new course is sent out to their company. In these sessions, the IT department has time to answer questions from their colleagues and host a conversation about how the material applies to their organisation. This style of training could be considered a hybrid approach to awareness training where microlearning happens during the online course and the key points are discussed in person.
Keep training engaging
We've talked a lot about how important it is to make sure that your training is engaging, because that’s what contributes to learning. Engaging training will make it easier for your colleagues to pay attention and absorb what they’ve been taught. Here are a few ways you can make your training more engaging:
Encourage reflection. Include time for people to reflect on the material and relate it to their own lives and work. This leads to learning because people can actually apply the content to their daily lives.
Use our free posters. These are simple and fun visual reminders of good security habits, like installing updates when they are available. We have posters on cybersecurity and the GDPR that you can hang around the office or display on information screens.
Implement microlearning. Microlearning is learning in small doses, and it is proven to benefit learning. Our blog post covers the essentials and ways you can use microlearning in your organisation.
You can support your communications around training topics with little reminders about security or even funny memes. One of our customers, DTU Biosustain, made their own video about the dangers of phishing to warn their staff about a security risk in an entertaining way. Don’t worry if you don’t have the time or resources to make a lot of different communications materials, though. We’ve found that just sending out a few funny memes and some simple IT security information can have a positive impact. In addition to lightening the mood, these small acts make security a regular conversation topic in your office.
Focus on the outcome, not the completion
If you’re running training just to check off a compliance box, you’re missing out on a lot of learning opportunities. The number of people who complete a course tells you about how well your organisation complies with training requirements laid in the GDPR and other security frameworks. But it says nothing about how aware your company actually is, or how much they have learned.
If you really want to focus on learning, you should look into some other metrics. Phishing testing is one way to see how well the lessons taught during training are absorbed and used in practice. You can also play an active role in training by following up with people who didn’t do so well on an awareness training test question or in a phishing simulation. We have some tips on how to measure the effect of your awareness training, where you can get more ideas about how to see if your training is working.
Takeaway: training is a tool, not a solution
A key piece of information to take away from this blog post is that training is only one piece of the security puzzle. In order for your organisation to improve its security, the training you do has to produce long-term learning. Simply giving your staff training is not enough, and you’ll need to put in some work to transform your organisation’s culture into one that prioritizes security and awareness.
We work with many customers and help them achieve stronger cybersecurity cultures through our awareness training and phishing testing. We’d love to work with you, so feel free to contact us if there is anything we can do to support your work.