The organizations today work in highly networked environments and the confidentiality, availability and integrity of information can only be protected if all employees have the basic knowledge of management, operational and technical controls required to protect the IT resources of their organization. Frank Johnson explains the strategies for designing an IT training program in corporate world. With the use of automated systems and advanced software in organizations, business operations and daily tasks have become highly computerized and programmed. The so called ‘manual work’ has considerably reduced.
However, the audit reports, periodicals and conference reports generally show that people are still one of the weakest links in attempts to secure the IT systems and networks. A robust and company wide IT training program is integral to ensure that all employees associated with the organization understand their duties, responsibilities, organizational policies and the secure use of the resources entrusted to them.
A successful IT Training Program comprises:
Developing IT security policy that reflects the business requirements tempered by known risks
Informing the users of their IT security roles and responsibilities as mentioned in the organization security policy and procedures.
Establishing processes to monitor and review the IT security program as per changing needs of organization The IT security program must focus on the entire user population of the organization. IT training is crucial for all departments including Operations, Finance, Administration and HR.
The higher management needs to set an example for appropriate IT security behavior in the company. The awareness program should start with an effort that can be deployed and implemented in different ways and must aim at all hierarchal levels. Designing the IT Awareness and Training Program The IT training has to be planned and designed as per the organization’s mission. The program must support the business needs of the organization and must be relevant to its culture and IT architecture. The model of the program can differ as per the size and geographic dispersion of the organization, the budget allocation and policy and the pre-defined rules and responsibilities of the organization.
The program may be Fully Centralized, Partially Centralized or Fully De-centralized. Let us now examine these three designs in further detail:
A- Fully Centralized IT Training Program – With Centralized Policy, Strategy and Implementation In this model, the responsibility and budget for entire organization’s IT security awareness and training program is entrusted to a central authority. All directives, strategies, development, planning, and scheduling are coordinated through this authority for IT security awareness and training. The central authority conducts needs assessment of different departments to determine the appropriate strategy for the training program. The IT training plan and the actual material for training is also devised by this central authority. For this, it may need to liaise with senior managers or representatives from different departments to cover their specific requirements in the training. They can also provide feedback to the central authority on the efficacy of training material and the relevance of methodology used for training. This helps the authority to fine tune and make required modification in the training material and/or methodologies employed for the program. The centralized approach is good and feasible for organizations that are relatively small and have a high degree of centralized management for most business operations and functions.
B. Partially Centralized IT Training Program - With Centralized Policy and Strategy but Distributed Implementation Under this approach, the policy and strategy for the IT training program are outlined by a central authority but the task of implementation is delegated to the line management officials in the organization. The budget allocation, material development, and scheduling are the responsibilities of these officials. The central authority does communicate the organization’s directives concerning IT security awareness and training, the strategy for conducting the training program, and the budget limits for each organizational unit. The authority also works to analyze and assess the training needs of different units and provides all required guidance to line managers. However, the actual implementation of the program and the responsibility of training staff members in every unit rest with the line management officials.
The central authority can ask for periodic inputs from each organizational unit with reports on training expenditures, the status of unit training plans, and the progress reports on success of implementing the IT awareness and training policies. The central authority may also require the organizational units to report the number of attendees at awareness sessions, the number of people trained on a particular subject, and the number of people yet to attend awareness and training sessions. The partially centralized model for IT Training is appropriate for large organizations that have units and functions spread over a wide geographic area. An organization working for more than one business domain would also have separate IT training requirements in different units and the partially centralized approach can be tailored to meet the specific requirements of those units.
C. Fully Decentralized IT Training Program – With Centralized Policy and Distributed Strategy and Implementation In this model, the central authority only disseminates a basic IT policy and the expectations regarding IT security awareness and training benchmarks in an organization. It is then the responsibility of individual unit heads to execute the entire IT training program in their departments. The need assessment and analysis is done within the organizational units and the strategy for the awareness and training program is also chosen by the unit heads or senior managers. Based on these strategies, they devise their own training material and methodologies which are then deployed in the units to train the staff. The central authority also allocates the budget limit as per the policy, though the appropriate utilization of this budget has to be planned by the different units. Like the other two models, there is a two way communication between the central authority and the individual units and the authority may ask for periodic reports on the budget expenditure and progress of IT training in terms of the number of people trained successfully and the pre-training and post-training difference in level of IT security awareness in the organization.
This approach suits large MNC organizations with decentralized management structure. It can also be followed by organizations with separate and distinct businesses where training needs may differ considerably. To ensure the success of an IT Awareness and Training Program in any organization and optimum utilization of training funds, it is imperative to assess the exact needs of all units. The system administrators and executive managers need to be consulted for this assessment and analysis. Also, it should be remembered IT Training is not a one time requirement. Periodic updates and refreshers through objective E learning tests also need to be arranged for, to ensure that the right IT awareness is always maintained.
About the Author: This article by Frank Johnson is the first in his series on ‘IT Training’. Frank is a regular editorial contributor on technology products and services that helps small to mid size businesses. To know more about IT Training strategies and implementation, you may interact with him here