Building an impactful security training programme to handle the volume and sophistication of today’s AI-enabled cyberattacks

By Alexia Pedersen, SVP International of O’Reilly 

Digital assaults that are underpinned by AI are quickly becoming one of the most predominant issues on the planet, with the National Cyber Security Centre warning that the use of AI for malicious purposes will significantly shape the threat landscape as we know it today. Whether it’s sophisticated phishing emails or deepfake videos, this technology is enabling relatively unskilled threat actors to carry out more effective access and information-gathering operations than ever before.   

On top of this, O’Reilly’s research highlights that nearly a quarter (24%) of learning professionals within British tech companies say cybersecurity is the digital skill most are lacking. As such, the vast majority (88%) of companies plan to spend more than £25,000 in the next twelve months to fill crucial roles, with cybersecurity top of the priority list.  

Ultimately, the dual crisis of AI-enabled threats and a widening skills gap is not one that companies can hire their way out of. So, how can organisations and their employees keep pace with the sophistication and volume of attacks? And will the EU AI Act help? 

The evolving regulatory landscape

While the EU’s AI Act is a significant step forward in regulating AI to ensure its safe and ethical development, there is a long way to go before we can secure our digital future.

Today, the Act focuses on security, transparency, and accountability to mitigate the risks associated with AI. By imposing stringent security requirements on high-risk AI systems – like those used in critical infrastructure – the Act ensures these systems are designed to be accurate, robust, and secure against unauthorised access and manipulation. It also requires these systems to have robust cybersecurity measures in place, including regular security assessments, vulnerability management, and incident response plans. 

Furthermore, the Act mandates transparency in the development and deployment of AI systems – providing clear information about the system’s capabilities, limitations, and potential risks. Meanwhile, companies developing and deploying high-risk AI systems will be held accountable for any harm caused by their systems. This creates a strong incentive for organisations to prioritise cybersecurity and ensure the security of their AI systems. 

The AI Act also emphasises the importance of mitigating bias and discrimination in AI systems. This includes ensuring that AI systems are trained on diverse and representative data to avoid unfair outcomes.  By promoting fairness and non-discrimination, the AI Act indirectly contributes to a more secure digital environment.

As the regulatory environment continues to evolve, organisations have a responsibility to educate their staff on the ever-evolving risks posed by AI-enabled cyberattacks. We recommend keeping the following key steps in mind for building an impactful, AI-related security training programme.

1. Identify the key stakeholders that can drive the programme forward

Firstly, it’s deciding who should take charge. Ideally, the leadership of your programme should be a collaborative effort between IT and those responsible for learning and development. With IT specialists providing the technical expertise, ensuring the content is relevant and appropriately complex, while learning professionals contribute their knowledge of learning strategies, programme design, and evaluation to ensure effective delivery.

However, given the complexities of today’s threat landscape, it’s important that leadership is also involved to align the programme with the organisation’s strategic goals. Emerging roles like Digital Transformation Leaders and Chief AI Officers, are becoming increasingly critical stakeholders and involving them in this process will help support change management as a new initiative gets rolled out.

2. Align your unique organisational needs with your programme  

The next key step is to assess your organisation’s current needs and skill gaps against future needs. By engaging with all stakeholders, from leadership to employees and IT specialists, organisations will gain a comprehensive understanding of their unique technology landscape. Focus on the relevancy, variety, and flexibility of available high-quality learning content when rolling out a news skills programme. This approach will guarantee the programme addresses current industry trends and incorporates your organisation’s professional IT certifications, while also anticipating future needs. 

3.  Maximising impact with a blended learning approach 

A blended learning approach is important. After all, your education programme must cater to a variety of learning styles and paces, so a combination of theoretical learning and hands-on practice is important to provide staff with robust and thorough knowledge.

Your programme should therefore integrate a mix of learning channels including digital learning, webinars, workshops, and one-on-one mentorship. Self-paced e-learning modules, for example, will allow for flexibility while scheduled sessions offer real-time interaction. At the same time, workshops, mentoring, and on-the-job practice will offer more opportunities for experiential learning. Ultimately, a mix of content to suit different learning styles and abilities will make the training accessible, engaging and inclusive for all designated participants. 

4.  Data and insights: Ways to measure success

Once up and running, continuous monitoring and evaluation of skill development will enable you to gauge the effectiveness and make refinements where needed. Success for your training programme can be gauged through various methods, with a key one being regular, technical assessments or certifications to verify the development of skills.

At the same time, you should conduct regular reviews to build a culture of learning, checking in with managers to assess progress and adapt as needed. Longer-term, you should also measure changes in performance metrics post-training, such as the reduction in IT-related errors or increased productivity in assigned tasks. In addition, build engagement plans and activities to maintain this momentum. This combination will allow you to improve the programme in real time and address your employees’ dynamic learning needs. 

Looking ahead, business leaders need to put adequate investment behind the development of education programmes that educate staff on the risks posed by AI-enabled cyberattacks. This should be driven by IT and learning professionals, given the combination of their indispensable expertise will maximise effectiveness. 

Both stakeholders must spend time pinpointing a diverse range of employees to drive forward their training programme, as well as identifying their company’s unique operational needs to ensure training is tailored and highly relevant. As an example, in Q2 2024, Check Point Research reported a 30% YoY increase in cyberattacks globally, reaching over 1,600 attacks per organisation per week. As AI initiatives continue to expand, awareness and skills in cybersecurity will be essential.

Whether you are developing AI solutions in-house, purchasing third-party technology with embedded AI, or partnering with AI tools, it’s critical to have a plan in place and implement comprehensive security training across the organisation. Only when armed with this foundational knowledge will learning professionals and IT leaders be empowered to identify the most suitable L&D partner that can support their unique needs and objectives.