Browse our certifications
Find training
Open page navigation
IT GovernanceIT ManagementQuality Standards

Angus McIlwraith discusses how his experiences working in a bank in London, have lead him to appreciate the quality assurance certified training offers.

I had just joined a niche bank in the City of London. It was wealthy, savvy and dealt with interesting work across the world – notably in sub-Saharan Africa. The first two days were to be spent in an induction session in the bank’s subterranean training centre. The training room was warm. The furniture and décor were sumptuous. The catering was superb. I spent the first morning in happy repose listening to the history of the bank. I heard about its investment schemes in challenging environments. I learnt about its extensive art collection. The hosts were well-presented and well dressed. The salary I’d been offered was excellent. All was right with the world. Then….

Just prior to the final coffee break of the first morning session, one of the hosts said the following. “I’m sorry to tell you that after coffee there’s a 30-minute session from the bank’s security department. It’s REALLY REALLY boring, but we all have to do it. Sorry.” I was joining the security department. After coffee, two of my new colleagues from the security department (who I didn’t know at that point) came in and set up to deliver their session. What followed was one of the dullest 30 minutes of my life. It taught me nothing (well, I should know this stuff anyway)! What was worse is that it taught none of my fellow attendees anything either. It was turgid, meandering, unstructured and patronising. It was a waste of time and air. I knew I was going to have to live with the legacy of that session. This set the tone for the relationship the security department had with the rest of the organisation.

Training does not have to be entertainment, but…. It should actually teach you something. It must be delivered to achieve some sort of objective or objectives. And it must engage you enough so that you might actually stay conscious long enough to learn something. The course material must flow, be at the right level and use the correct tone of language. It must explain unusual terminology, and attendees must be told how they might be examined or tested after the course.

And remember, it’s not just the course that matters – the trainers have to be capable. Having two dullards turn up and drone on in a monotone will do a disservice to the most beautifully crafted course. You have to cover both aspects – content and trainer. A good trainer does not have to be a stand-up comedian or a trained orator. They have to be able to LISTEN as well as talk. A good trainer will notice when their students fail to engage and be able to read the mood of the room. They also have to be able to answer questions – many of which are likely to be seriously challenging.

Certified Training

The NCSC approach to assessing training covers both elements. The course content is subject to serious scrutiny and must contain a minimum of 80% coverage of carefully defined skillsets and supporting material must deliver the content appropriately. It must tell students how they will be tested and how long the course is. They need to know what is expected of them. Slide decks are scrutinised. Online delivery modules are examined. Timing claims are checked. Content is assessed for accuracy, correctness and completeness. Terminology is checked to eliminate culturally-loaded terms that might confuse someone who is taking a course that is delivered in a second language. Slide decks are checked against a declared syllabus.

Trainers don’t get away with it. An NCSC certified course can only be delivered by NCSC certified trainers. These trainers are assessed by an Assessor sitting in on a live training session (Part A). The Assessors ensure the trainer engages appropriately, they understand the content, and answer student questions fully and correctly. After the ‘live’ assessment, the trainers are also interviewed to ensure that they truly have the required knowledge and understand the mechanics of delivering the course (Part B). Trainers have to pass muster for both parts of this two-legged process – which is not trivial.

When the assessment is complete, the course can be declared suitable for NCSC certification. Remember that it can only be delivered by certified trainers. We don’t want ignorant dullards wrecking these beautifully crafted (and now certified) training courses.

Re-assessments provide quality checks

Certification provides a degree of certainty that the course you hope to take delivers what it says it will. Security, like many subjects, evolves constantly. Courses and trainers are re-assessed at suitable intervals to ensure they remain appropriate, complete and accurate. A change log has to be presented to ensure that alterations can be scrutinised and assessed. Changes to legislation are considered should they impact on the content of the course, as are changes to the threat landscape. Trainers are reassessed using similar criteria. Certification is a moving target that has to adapt to make sure the courses and the trainers that deliver them remain appropriate and relevant.

Certification does not guarantee perfection. Some courses don’t suit some people. Even the best trainer can have an off-day. What certification does is massively increase the likelihood of a course being right for those who choose them. It increases training effectiveness and reduces the chances of attendees wasting their time and money on the wrong courses. It also helps Training Providers manage content to help deliver the best product they can.

Note that changing behaviours to those considered ‘security-positive’ requires something of a whole-body approach. Communication skills, professional conduct, technical knowledge, and open-mindedness need to be allied to training to increase its impact. Taking advantage of sound certification is a very sound step in the right direction.

About the Author

Angus McIlwraith is an information security specialist with many years of experience across many sectors - notably financial services and UK Government. The second edition of his book “Information Security and Employee Behaviour: How to Reduce Risk Through Employee Education, Training and Awareness” is due for publication in Summer 2021 by Routledge. He is an Assessor for NCSC Certified Training and the CCP scheme, and was on the panel in 2021 that updated the syllabus and exams for the BCS ISEB CISMP qualification.

RELATED PRODUCTS

CDCAT® Classic Assessment

CDCAT® Classic Assessment

Our cyber security risk assessment helps you identify the cyber risks facing your business and make an action plan.

View more
NCSC Certified Training - Stand out from the crowd

NCSC Assured Training - Differentiate your course

Stand out. Get your training NCSC-Assured

View more

DVMS Institute - NIST Cybersecurity Framework

Teaching organizations of any size, scale, or complexity an Affordable, Pragmatic, and Scalable approach to facilitating secure, resilient, and auditable digital outcomes.

View more
Close

Certifications & Solutions

Accredited Training Organizations

Leadership

Accredited training providers

Certifications & Solutions

Select any filter and click on Apply to see results