Choosing a Security Awareness Training Provider – KnowBe4, SANS and Security Mentor
After some recent high-profile cyber attacks in the healthcare industry, implementing mandatory cybersecurity awareness training was made a high priority for my organisation, to cover approx. 1400 healthcare staff.
I thought I’d document a high-level overview of the options I considered, in the hope that it might be helpful to anybody going down the same path. I’ll write a more detailed and technical post on the solution we decided on later in the year. For now, these are my initial observations and opinions based on demos and trial content.
In-House or Hosted?
The first decision to make was whether we could put together a decent security awareness training program in-house. The initial core requirements were:
-
- A 5-10 minute cybersecurity module to be included alongside our other non-IT mandatory training, briefly covering as many topics as possible
- Continuous training via quick, on-demand, 1-2min training modules/videos to cover topics in more detail
- Tracking of training completion/engagement
- AD integration
The decision ultimately came down to time and resources, and in particular the costs involved in producing the actual video content. The work involved to match even a basic version of what the various security awareness training providers could offer, especially when you factor in the additional standard features such as phishing simulation and reporting, was deemed too much, and so I went looking at hosted options.
I narrowed down the potential providers to KnowBe4 (www.knowbe4.com), SANS (www.sans.org), and Security Mentor (www.securitymentor.com). A introductory call was set up with all three, followed by a more in-depth technical call and demo, and finally some trial access/sample content.
KnowBe4
I would say KnowBe4 have the strongest online presence of the three providers; not necessarily an indication of quality, but their name comes up again and again in relation to security awareness training, most of it positive.
They were the quickest to get back to me when I initially reached out, and had a call set up before the others had even replied. The sales representative was certainly enthusiastic; borderline pushy, which can rub people up the wrong way, but he was genuinely pleasant and technically knowledgeable.
I had a good deep dive into their product, and was frankly very impressed from the word go. KnowBe4 is a very slick platform, I would say by far the most well developed of the three I looked at, and covered everything in a very neat an unified package.
Their phishing simulation tool was by far the most comprehensive. I loved their ASAP feature; you answer a number of questions about your industry, company makeup, intentions for training etc, and it spits out a detailed step-by-step, week-by-week calendar plan, from initial whitelisting of KnowBe4 domains on your email security filtering, to evaluating the success of the campaign 6 months down the road, with each task given an estimate time to complete. Sure, it’s a little generic and a few of the steps won’t line up with your plans, but it was great to have a rough timeline for rollout to show to the higher ups.
One thing that really impressed me about KnowBe4 was the unrestricted access to their entire video and training module library as part of a 2 week trial. The other two vendors did not supply this, and I think that spoke volumes. KnowBe4 are very confident in the quality of their product.
In saying that, the videos/modules can be a little hit and miss. There’s a lot of wacky, cringe-inducing, trying-too-hard-to-be-funny stuff; for example, one video that was show to me on the demo call was a guy eating and swallowing a colleague’s post-it note because it contained his password…eh, ok!
I kind of get the intention, that the bizarreness will make the message stick in people’s minds, and nobody wants to be forced to complete dry, boring security training. But depending on your work environment this kind of stuff just might not go down well. In my case, in the healthcare field, this isn’t the kind of stuff I want to be sending out to staff. Thankfully there’s enough “professional” content to balance things out, although you really do have to be on one of their higher cost tiers to get the decent stuff.
I also need to mention the focus on Kevin Mitnick in some of their modules. As much as I respect Kevin Mitnick and enjoy the KnowBe4 videos which are cantered on him from a technical perspective, they are pretty much useless for non-technical people (90% of our staff!). One of the training modules, within the opening 2 minutes, has him demonstrating an exploit with multiple laptops and remote shells. The majority of our staff would be tuning out immediately! I just found that any time he appeared, you knew it was going to get too technical for the average staff member, and that entire video/module could be dismissed.
Total cost for 1 year was approx. $15,300.
SANS
SANS was next up, who have a long history and solid reputation in security awareness training. I had an excellent call with their representative, who was very clued in on the requirements of the healthcare industry. SANS come across as a bit more “professional” and corporate than KnowBe4, and initially I thought their presentation style might suit our environment more.
I was impressed when they mentioned a healthcare orientated training tier; healthcare-focused modules are available on KnowBe4, but SANS seemed to have a dedicated section.
Unfortunately once I got access to the content, it was clear that it was not as polished a platform as KnowBe4, and the healthcare tract wasn’t quite as extensive as I had hoped.
The phishing simulation tool was decent, and likely provides as much functionality as the others, if not quite as slick.
However their video content was a bit of a let-down. Although it offered plenty of styles for each of their training paths (animation, host-led, live-action etc), it seemed very dated and dry, and in particular the healthcare module that was made available as part of trial access looked like it was created 15 years ago.
SANS provided only a small section of modules for preview, which I think is an important distinction to make compared to KNowBe4, who were far more open. Maybe the content I was allowed preview wasn’t indicative of their full library, but that is the risk when you provide such a small sample.
I also found SANS were quite pushy in terms of working with a “Customer Success Manager” at an extra fee; this was included in the initial quote despite not being mentioned in the demo calls, or me making any indication that we required additional support to design, deploy and review the progress of training.
Total cost for 1 year, minus the support that wasn’t required, was approx. $15,000.
Security Mentor
Last was Security Mentor, who were the slowest to get back to me. When I did eventually get on a call with one of their representatives, he didn’t fill me with confidence that this was a professional outfit. It was a little too casual for my liking, with a lot of my questions going unanswered or needing a follow-up email. It was a very poor presentation in all honesty.
Security Mentor also provided by far the most limited access to their content. I think it was a total of 4 or 5 videos. I also had to really push for even this small preview, having to eventually sign and return a usage agreement! Again, this lack of transparency on available content really stood out to me.
Security Mentor, as far as I could tell during the disjointed demo call, are very limited in terms of customising the training experience. They have a defined set of videos that constitute a training path, from which you can choose 6-12 of each year, depending on your subscription. It did not contain the kind of flexibility the other two supplier have; for example, I don’t believe you can send off a quick one-time phishing education video outside of the pre-defined training paths.
They were also the slowest to get back to me with pricing, finally sending me a quote the day before I had to go for approval of costs. When the quote came in, despite offering the most limited platform, Security Mentor ended up being by far the most expensive!
Total cost for 1 year was approx. $25,000.
Conclusion
Based on the above, it’s no surprise we went for KnowBe4. Their platform is slick, packed with content, tools and features, and they came in at a very competitive price (actually cheapest once some discounts were applied).
SANS were a close 2nd, and I feel would have been even closer if I had been provided with more transparency in the trial access.
Security Mentor were not in the running from early on, and their pricing was the nail in the coffin.