KPMG IT Expert: Practitioner-Trainers Make Training Engaging and Practical

Interview with Ivar Anton:

KPMG Baltics offers a range of cyber security and IT audit training courses. Who are they designed for?

Our IT audit and cyber security unit offers training in IT audit and compliance topics, on the one hand, and cyber security courses, such as web testing and red teaming, on the other hand.

Our courses are designed for different target groups. For risk management professionals, including those involved with information security standards, we offer courses specifically tailored for CISOs and IT security specialists. Technical professionals working with networks can attend our secure software development training, where they will learn to identify vulnerabilities in their code and understand how these may be exploited.

Another major focus area is IT and information security courses related to ISO standards. The best-known of these is ISO/IEC 27001 for information security management systems (ISMS), for which we offer training for both implementers and auditors. Our ISMS training is well-suited to an organisation’s CEO, management board member or CFO, as it covers the process of establishing an information security system within the organisation.

Upon completion of this training, the participants can also obtain a certificate, which is included in the training fee. Implementing the standard requires experience, of course, but our training provides a framework and helps with interpretation.

The range of training courses you offer is quite broad. How do I know which one I need to improve my organisation’s cyber security posture?

It depends somewhat on the level of information and cyber security within the organisation, in other words, how far you’ve come on your cyber security journey. If you are unsure, it’s advisable to first verify whether any standards have been implemented at all. If this is not the case, you can start by introducing an information security standard, for example. However, the world of ISO standards is vast, encompassing areas such as risk management, business continuity management, etc.

More technical training courses, such as on penetration testing, can be taken at any time. Whether you will actually start conducting penetration testing in your organisation after completing the course depends on your level of experience and the specific field in which you work. The course is still useful as it will provide insights into the kinds of risks involved, what actions should be taken and how frequently.

In other words, you can always audit the basics and perform security checks on your website and the core software used in your organisation. Additionally, many cooperation agreements with partners now require risk management practices or regular penetration testing.

How is the decision to participate in a training course typically made by and organisation? Do you have to actively sell your courses, or do clients approach you, or does the need for training arise over the course of a longer-term cooperation between KPMG and the client?

During the implementation of ISO standards, we advertise our training offerings in collaboration with the international organisation PECB, whose platform we can use to deliver a broader range of training courses. We can therefore resell the full range of PECB training courses, whereas in Estonia, the range of our own face-to-face or Teams-based trainings is more limited. This is how interest is initially sparked, but increasingly, clients are approaching us directly.

 Our most popular courses are in the areas of general risk management and business continuity management. Thanks to the European Union’s Digital Operational Resilience Act (the DORA regulation), these topics have gained increased importance and attention in large organisations, particularly in the financial sector, where DORA’s implementation is mandatory.

In addition, the cyber security assessment and development grant provided by the Estonian Business and Innovation Agency has sparked greater interest in understanding the risks of the cyber world. This has resulted in training requests from organisations.

There are also cases where management, having realised that cyber security risks have been included in the organisation’s risk assessment, invite us to provide cyber security training for managers. Sometimes, such requests are quite specific, as clients have a fairly clear idea about their needs. At other times, clients simply wish to learn more about the topic. In this case, we hold discussions to better understand their needs and, where possible, offer relevant training.

To what extent are these training courses aimed at professionals already working in a particular field, and to what extent are they intended for those moving, or aspiring to move, to a new role within an organisation?

First of all, it depends on the individual’s experience, particularly whether they have obtained some certifications or acquired a basic level of knowledge in the relevant field. However, if you are moving to a new position within the organisation or taking on additional responsibilities, it’s worth considering further training.

In such case, the employer may be willing to cover the cost of the training, especially because some courses offered by large multinational organisations can be quite expensive. The KPMG training offerings in Estonia include courses for technical professionals as well as for employees responsible for overall risk management.

How are the courses structured, and how much are participants engaged? Are they more like lectures, or rather interactive workshops with active participant involvement?

That depends on the training course. For example, our advanced training course on ISO standards lasts four days. The course is largely lecture-based, but there are some tests and exercises, and the topics are covered in a discussion format.

The best training sessions that I have attended are those that bring together participants with diverse experiences and backgrounds. In these sessions, participants share their insights and ask highly specific questions, such as how to implement a particular management system within a specific organisational context.

More technical courses – such as OWASP training for developers – also include environments where newly acquired knowledge can be tried out and applied, allowing participants to immediately put theory into practice.

Certification training courses can be quite extensive and lengthy, lasting from a week to ten days, including the exam. Participants are given a project to analyse and identify any vulnerabilities. They then produce a report detailing their findings and the methods used to uncover them, and propose solutions and preventive measures to mitigate these vulnerabilities.

To what extent do the trainings incorporate practical examples that allow participants to learn from mistakes?

Our trainers are practitioners in their respective fields and hold certifications across various specialisations. This is true for both ISO and cyber security training courses: our trainers have the relevant certifications, work experience and practical expertise.

Whose mistakes will participants learn from? Does the training incorporate real client cases?

They don’t learn so much from clients’ mistakes, but instead focus on identifying common basic weaknesses that tend to recur across different clients more often than one would like. However, occasionally we identify gaps or vulnerabilities specific to a particular client. Nevertheless, certain main shortcomings tend to recur quite frequently, with the same weaknesses observed across different organisations and clients.

A trainer with practical experience can share insights gained from their daily work with different clients, can’t they?

Yes, absolutely. They can teach how to plan activities, address problems, implement technical solutions, and share challenges they’ve encountered in the past. This is what makes the training inspiring for experienced professionals – when a trainer-practitioner uses their own real-life examples and contextualises them within the training content.

Moreover, when participants share practices or experiences from their own organisations, then such collaborative learning is always highly stimulating.

Should training participants be prepared to discuss what’s happening in their own organisation – for example, what they are doing in cyberspace and how?

It depends on the content of the training, but generally we don’t expect them to do it. We certainly don’t have a requirement for the participants to present the shortcomings or weaknesses of their organisation. However, engaging in discussions during training sessions on specific topics can be valuable, as participants will gain insights into how a particular methodology has been interpreted and applied by their peers.

In the case of the ISO standard, for example, it is important to know the correct sequence of actions. No one is required to use their organisation as an example of specific actions. Rather, insights will be provided by the trainer, drawing from their own experience. Of course, speaking openly about your own experience is welcome. In some larger groups, participants may not even know which organisation others represent.

You mentioned that some training courses are delivered in partnership with PECB, an external training and certification body. Could you explain what this organisation does and why you collaborate with them?

Their focus is on providing ISO standards training and certification across the world, primarily for individuals rather than organisations. There are two major organisations in the world – PECB and IRCA – that provide training on ISO standards. PECB’s offerings are better suited to our needs; among other advantages, they also provide training in Estonian when required. However, our trainers hold certifications from both organisations.

So PECB provides the platform, materials and information, while we have certified trainers either online or in the classroom. The final exam is conducted through the PECB platform. Thus, we don’t have to develop and manage our own platform. PECB supplies the training materials and content but recruits external trainers who are practitioners.

After passing the exam, participants are issued a certificate, which remains valid for three years. To keep the certificate valid, you are required to complete at least 20 hours of additional study in the relevant field each year, participate in seminars, etc. In other words, there is a professional development requirement: you must demonstrate what you have done and how, and you are also required to pay an annual fee to maintain the certificate.

If you fail to meet the requirement of 120 academic hours’ study over three years, your certificate will be withdrawn.

Another advantage of collaborating with PECB is that if certain training is not available in Estonia, it can be delivered by other trainers. Additionally, recorded online courses are available, which can be taken independently or alongside other courses.

What is the proportion of training sessions conducted in person in the classroom?

It depends; we also offer on-demand video training courses that can be completed at your own pace. For a classroom training, a minimum of five participants is required. One advantage of online training is that there is no need to travel to Tallinn, but you can participate, for example, from Tartu or even from your summer cottage in Saaremaa, provided you have a good internet connection.

The most popular training format is on-demand video training, allowing you to progress at your own pace. This is followed by training sessions conducted via Teams, with classroom training being the least common option nowadays.

If you request training today, you can gain access to video-based learning by tomorrow or the following day – this is the quickest and most convenient solution. Finding time for classroom training can be challenging, particularly for senior managers or top professionals with busy schedules filled with meetings and appointments, especially for courses that span several days.

Is it possible to arrange training exclusively for a group of my employees at my organisation?

Yes, of course. Such training sessions can be held in the organisation’s own meeting room, a familiar space where participants are used to gathering. However, if the training requires special conditions, such as access to a technical testing environment, we will need to discuss the options with the client.

How do client needs steer the content of your training programme? Do you develop new courses based on client feedback or expectations?

Of course! And that is a very good question! Additionally, we monitor the topics of interest to our audience and stay updated on global developments, market trends, and emerging technologies. In the field of cyber security, relevant topics include phishing emails, web application testing and the adoption of cloud technology.

In the context of audit and compliance, key areas of focus in the ICT area include risk management, business continuity management and digital capability assurance. The keywords here are NIS2 and DORA, with an increasing number of institutions and individuals needing to engage with these issues. With this in mind, we are trying to identify trainings that are relevant in the Estonian context.

How does the training content evolve over time in response to advancements in technology and the changing landscape of cyberspace and cyber threats?

The content of our training courses is frequently updated, especially for practical courses, where trainers regularly review and update the material and examples. The introduction of new software or operating systems can alter the landscape of risks and threats.

It’s impossible to predict where vulnerabilities will surface or how the risks will shift in the event of another large-scale ransomware attack, such as WannaCry. This could prove to be both an industry-specific and a general risk.