Open Mobile Menu


As the cybersecurity threat landscape continues to evolve and security breaches occur at an increasing rate, the value of security awareness training has increased exponentially.  Cybersecurity-related business disruptions and data breaches create real costs: they account for lost revenue, decreased productivity, they require investigations and remedial action, and they can result in fines and penalties and a tarnished reputation.  Malicious actors know that humans are still the weak link in the security chain, and we continue to see situations where untrained or improperly trained employees open the virtual door for cyberthieves to walk in, or an incident goes unnoticed or unreported for months (or years!). According to the 2017 Verizon Breach Report, over half of the breaches reported this year included malware, and 66% of the malware installed came from a malicious email links and attachments opened by end-users; many of these disruptive attacks could have been prevented with proper end-user training, and the cost of security awareness training is almost always far less than the costs associated with recovery after a breach.  Additionally, insecure web applications attacks accounted for a large number of breaches last (6,502 total incidents, 571 with confirmed data disclosure according to Verizon), many of which could have been prevented with proper developer training.

From a business perspective, appropriate security and awareness training is one of the most essential and cost-effective pieces of an organization’s cybersecurity strategy.  Maintaining a mature and ongoing awareness and training program is one of the best ways for an organization to demonstrate Executive Leadership’s commitment to a culture of cyber security, and ongoing security awareness training provides an opportunity to assess and improve employee identification and responses to real real-world threats. Effective training provides team members with the tools that they need to proactively prevent, identify, and report potentially damaging cyberattacks and risky activities: as an organization’s employees are one of the first lines of defense against cyberattacks it is crucial that all employees are aware of common attack vectors, how and when to prevent, respond, and escalate a suspected incident, and the importance of their individual role in protecting the enterprise.

Training can come in many forms and is not one-size-fits-all. Choosing the appropriate format and level of training required will vary based on factors such as industry and regulatory requirements, organizational structure, geographical constraints, business type, types of data your organization handles, and company culture.  A comprehensive training program should be tailored to each environment, and general security awareness training is usually just the first step.  For example, providing training related to secure configuration and coding to key IT and Development staff can significantly reduce the likelihood of a breach resulting from insecure coding or system misconfigurations. Take a close look at the state of your training and awareness activities when performing your next risk assessment to see if your training activities are covering core business processes, critical assets, and appropriate to train all staff that participate in activities that could fundamentally impact data and system security. You should also consider tracking metrics and number of incidents reported, as this can be a key indicator of the effectiveness of your program, and remember to review your training requirements and programs annually as needs may change or shift over time. 

Considering cybersecurity is a fairly new discipline, some organizations are leveraging custom training to develop and/or increase skillsets for non-traditional roles.  For example; some organizations now employ so-called red teams and blue teams, their roles are offensive and defensive respectively.  It’s not uncommon to send select employees to specialized training where they learn attack and penetration techniques to try to exploit systems in the same manner a skilled attacker would, and conversely, to send others to training where they learn system hardening techniques and methods to protect systems and applications from such attacks.  Again, training should be dictated by an organization’s needs and take into consideration a number risk factors that make for a safer computing environment and increased user awareness. 

Below is a list of recommended training topics for IT users, network and system administrators, and web developers.  If you have other questions about approaches to training or training topics please contact AppSec Consulting for a free consultation. 

Safe Computing and General Security Awareness Training programs are designed to provide end users with a basic understanding of common threats, vulnerabilities and exploits.  Understanding electronic threats and attack vectors allow the user community to serve as the first line of defense to the organization.  As most common threats are browser and/or email based attacks that users can avoid, knowing what to look for and how to respond is critical to helping keep an organization safe. 

Privacy Training programs introduce common data privacy principles for handling sensitive data; this is a key topic for any employees dealing with regulated or sensitive data or PII.

Acceptable Use Training programs serve as an effective tool in educating users about permissible computing activities and guidelines when using company-owned equipment and resources and/or accessing corporate systems using personal devices.  This type of training program will typically include an overview of corporate policies regarding social media practices and use of 3rd party applications for company business.  This type of training often refers to disciplinary actions related to non-compliance and/or violations of company policy.          

Incident Management Training programs are intended to educate management and staff on how to best identify and respond to events and incidents.  Stakeholders will learn the difference between an event and an incident and what steps should be taken in response to various activities.  This training will often include Disaster Recovery and Business Continuity principles and mock scenarios.  The purpose of this training it to prepare key personnel for various threat scenarios and how to respond and escalate response activates.   Typically it will involve key executives, operations and legal personnel.  It will sometimes include introductions to law enforcement and industry CERT organizations.               

System Administrator and Developer Training programs are technical in nature and focus on secure configuration and defense in depth strategies.  Administrators learn system hardening and access control techniques they can put to practice in order to meet security and compliance requirements.  Developers learn defensive coding techniques that allow them to mitigate common threats and vulnerabilities used to exploit techniques.  Industry working groups such as the Open Web Application Security Project (OWASP) maintain a published list of top vulnerabilities.  Training programs should carefully review these vulnerabilities and introduce proven mitigate strategies administrators and developers can use to develop secure systems and applications.   

AppSec Consulting provides a number of Instructor-led and online training courses on a variety of topics to help your organization become aware of key security topics, including:

  • General Security Awareness
  • Privacy Principles
  • Secure Web Application Development
  • Web Application Security Testing
  • Introduction to PCI DSS
  • GDPR and Privacy

We’d be happy to talk with you about your specific needs.  Please contact us at to get a free evaluation and check out our course descriptions here.

Brian Bertacini

Brian Bertacini founded AppSec Consulting in 2005, since then the company has become a leading provider of IT security testing services, PCI assessment and validation, training and security technology integration for businesses of all sizes including starts-up and large global enterprise clients. Mr. Bertacini is a member of ISSA, ISACA, and OWASP. He has more than 20 years experience in software development, systems engineering and information security, fulfilling various roles at IBM, Varian and Fujitsu. Brian is the founding member of the Silicon Valley OWASP chapter and he oversees the management of AppSec Consulting to ensure the company's valued clients receive the highest quality of service.

read more articles by Brian Bertacini