How to choose a security training vendor
👨‍🏫

How to choose a security training vendor

By Jay Lloyd. June 24th, 2021.

When it comes to security, there is nothing more true than the philosophy - it takes a village.

Hiring a top-notch security expert is great, but they will only take you so far. You need "all hands on deck" if you want to run an effective security program. That doesn't mean all your employees need to be security experts, but they need to understand their role in protecting your company assets and your customers' data.

Like many of you who are reading this, I'm on a mission to build a strong security program and culture. As a fundamental first step, I wanted to include Security Awareness Training to teach Trustpage employees how to identify and mitigate risks that they'll encounter on a daily basis.

As part of the process, I looked at several Security Awareness Training vendors and compiled some notes on what features are important and what each vendor offers. Hopefully, this will help you reach a quick decision and launch your training program sooner rather than later.

So, what really is Security Awareness Training?

Security Awareness Training covers essential topics such as ransomware, managing passwords, email attacks (phishing and spearing), social engineering, and topics like physical security and working remote. After your employees are educated on these topics, they will be better prepared to join your fight against bad actors aka hackers, protect company assets, and stay compliant.

Fortunately, you do not have to create this content on your own. There are vendors with expertise in security training that can help manage your training program. However, that doesn't mean that your decision will be easy.

What are some key features when choosing a vendor?

Engaging Content

Of the many vendors in this space, each brings new trending content that feels more fun and engaging. Some vendors use animation, while others place real actors in comedic situations. Security training isn't effective if your employees are sleeping through it. Regardless of the approach, you don't have to look far if you want to get away from boring slide presentations with voiceovers.

Custom Security Training

When it comes to content, security topics are usually covered in generic terms. However, if you want to include information that's specific to your company and policies, then you'll want to choose a vendor that allows you to customize their content. With a custom experience, you can cover all the training bases in one training.

Phishing Campaigns

A phishing campaign will send test phishing emails to your employees and see if they take the bait. If an employee fails, some platforms will automatically enroll employees into a remedial training course. Your need for this feature will depend on what email security tools and policies that you're using. Remember, hackers often use phishing emails to get employees' usernames and passwords to gain unauthorized access to critical systems.

Gamification

Gamification is an effective tool for motivating your employees to keep a watchful eye on security risks and building a security-focused culture. Some vendors use gamification by providing a leaderboard for successfully identify phishing attempts or pitting departments against one another to see who has the strongest security knowledge.

Reporting

After your training program launches, you may need to share your training completion data with customers when going through a security review. All vendors have dashboards with this information via Excel or PDF, but if you want to integrate with your existing systems, you'll want to ensure your vendor has an API. With an API, you can automate your Information Security review process and avoid the repetitive task of exporting reports when they're needed.

💡

A Trust Center is an excellent option for storing and sharing your company's Security Training reports with customers.

Licensing

Some vendors have a fixed minimum number of licenses to buy or only provide multi-year contracts. If you have a small number of employees or don't want to be locked into a long-term contract, some vendors may not be a good fit for you.

The vendors we considered

Curricula aims to make security training fun. They use animation and storytelling to deliver engaging material. In addition to Security Awareness Training, they also provide compliance training across several topics such as GDPR, PCI, SOC 2, ISO 27001, CIS 20, and a few others that are specific to certain locales and industries.

A feature that stands out on Curricula's platform is customizable content. Other vendors provide this feature, but Curricula is different because it provides templates that match the look and feel of their standard content. This is a nice feature if you want an easy way to customize your content without getting a designer involved.

Strengths: Fun and engaging platform. Easily customizable content.

Weaknesses: No API access.

Habitu8 has a scaled-down offering compared to other vendors. On their website, you will find the words "I actually just need videos." This is a good option if you're looking for a no-frills service that can deliver security training to your employees.

Strengths: Barebones platform that's quick and easy to set up.

Weaknesses: No compliance training, phishing tests, API access or SSO.

Hook Security refers to its approach to security training as Psychological Security or PsySec. They create security training information and phishing campaigns monthly to foster a security-aware culture by using recent security incidents to train your employees on the latest threats.

Hook Security has a couple of features that differentiate its product offering. In addition to providing a set of standard reports, they have an API that you can use to import data into other systems and build your reports. The other is a managed program. For a nominal fee, Hook Security will manage your training program for you every month. All that you need to provide is a list of users and a thumbs up for any monthly content that's scheduled to be sent out. This is a bonus for those who don't want the hassle of managing their training and phishing campaigns.

Strengths: Offers a fully-managed service making it well-suited small or non-tech teams.

Weaknesses: No compliance training.

KnowBe4 has the largest content library in the marketplace. They have a large library of training material that varies by style and length. With such a vast library, you'll be able to find content that matches your company's needs. KnowBe4 has a lot of credibility in the security space. One reason for that is Kevin Mitnick. He is their Chief Hacking Officer. If you don't know who he is, Mitnick is a well-known hacker who now spends his time helping companies beef up their security. They also hold a few security certifications, so if you operate in a strict domain, then KnowBe4 might be the right vendor for you.

Strengths: Largest content library of all the options. Long history and strong reputation.

Weaknesses: No compliance training or free trial.

Living Security is turning Security Awareness training into a team activity. Their innovative approach to security training includes a virtual escape room. The purpose of the escape room is to bring teams together in real-time to figure out how to escape--solving security puzzles as a team is the key to escaping. Other vendors in the market use gamification, but not to this level. This is a great way to integrate security into your company's culture, and even better for remote teams who are looking to build camaraderie through team exercises.

Reporting is another area where Living Security is approaching training differently. In addition to viewing which team members have completed their assigned training (Hopefully, on time), but you can see what areas are the weakest for your team. This allows you to target those weaknesses and turn them into strengths.

Strengths: Fun and engaging platform. Good for team-building.

Weaknesses: No customizable content, API access, or free trial.

Mimecast does more than just security awareness training. They also provide security tools for protecting your company's emails. Mimecast bundles its product offerings together if you're buying direct. This could be an option for you if you're looking to add security training and some protection around your company's email. Otherwise, you will need to reach out to one of their service providers if security training is all that you're looking for.

Strengths: Offers a number of other security tools, including email protection.

Weaknesses: Their security training platform is only available as a bundled add-on with their email protection platform.

Ninjio mixes Hollywood writing with animation to train users about security. They offer two versions of their animation: Anime and Corporate. The latter uses a more conservative style of animation to appeal to a broader audience.

Ninjio not only provides Security Awareness training, but also compliance training for topics such as GDPR, PIC, HIPPA, and CCPA. This could be helpful if you're looking to demystify compliance regulations for your employees. Also, each enrolled user can share their subscription with a limited number of family and friends. This could be valuable for employees who work from home and you want to reduce security risks that come from within employees' homes.

Strengths: Fun and engaging platform. Employees can share subscriptions with family and friends

Weaknesses: No API access or free trial

If you're looking for a quick breakdown of features by vendor, check out this comparison chart:

Feature Comparison

VendorSecurity Awareness TrainingCompliance TrainingPhishing TestsCustomizable ContentAPI AccessSingle Sign-OnFree Trial
Curricula
Habitu8
Hook Security
KnowBe4
Living Security
Mimecast
Ninjio

In the end, Trustpage selected Curricula to deliver Security Awareness Training to its employees.

A key factor that led to this decision was being able to create custom content. We not only want to include Security Awareness Training as part of our security program but Secure Code training and company-specific policies. So, it makes sense to combine our training initiatives into a single platform; our employees are able to have a consistent training experience while also streamlining management and reporting. By having a single source for training data, it'll ease the pain of gathering evidence when requested during a security review. We also liked Curricula's simplified approach to managing security training, plus their fun and engaging content--I promised the team that I wouldn't give them boring content so I had to deliver. Overall, Curricula's platform meets our needs, but we believe they'll be able to match our future needs as they continue to grow their product.

icon

Jay Lloyd is the Lead Evangelist at Trustpage. After work, you can find him on his Peloton. He lives in Detroit.

Join the community: 🐦 👔

Copyright © 2021 Trustpage. All rights reserved.