Leyr, a healthtech company aiming to improve healthcare data accessibility through interoperability, places information security at the heart of its mission. Our core focus is enhancing patient safety and clinician satisfaction by ensuring health data is securely available where it's needed most. As an organization committed to the highest security standards, including ISO27001 compliance, we understand that regular team training isn't just a requirement- it's fundamental to our success.

However, the challenge lies not just in conducting regular training sessions, but in making them truly effective. While standards like ISO27001 mandate regular team training, the real value comes from how these sessions are designed and delivered to create lasting impact.

Interactive and role-based

Vikk Lindén, who leads the internal training programme at Leyr as part of our Information Security Management System (ISMS), elaborates on how to meaningful security training that actually improves your security posture can be designed.

Many organizations struggle with security training that becomes a mere checkbox exercise. According to Vikk: "A challenge in training teams in information security is designing it so that it actually improves security in the team. I think a lot of people can relate to mandatory trainings where the take home message 'don't click on suspicious links' or 'don't share your passwords' is already known. Then the training is just optics - if you're not safer after the training than you were before, it's essentially a waste of your time."

At Leyr, the approach to training is focused on practical learning and role-specific development. Vikk explains: "At Leyr, we train to learn, period. So we have focused a lot on how to make training interactive and adapted to your specific role. There are some great free tools out there - for instance interactive tests of your ability to spot suspicious e-mails. If that is where you want to increase your team’s vigilance, this will be much more effective than just mentioning it in a presentation."

Cross-functional knowledge sharing

A key aspect of Leyr's training approach is bridging the knowledge gap between technical and medical domains: "Our team consists of both technical and medical expertise. One area we have put a lot of effort in is to share knowledge across those domains. If our tech team get an understanding of how medical professionals use data to make decisions with potentially great consequences, it is easier for them to bring such requirements into their process from the beginning. Information security should never be an afterthought, and this is an example on how we shift left."

One particularly effective method used at Leyr is the "doom workshop": "We ran a successful 'doom workshop' with the whole team. It uses a hypothetical scenario as a starting point, where things go terribly wrong - then you brainstorm on what could have contributed to such an outcome. It was a creative and fun way to get everyone involved in considering the entire scope of information security: everything from manual errors, social engineering, insider threats and natural disasters surfaced. We brought the workshop results into our risk analysis process, and as a result we could act to mitigate hazards that have not yet had a chance to be realised."

This approach to security training demonstrates how organizations can move beyond compliance-driven checkbox exercises to create meaningful learning experiences that actually improve their security posture. By making training interactive, role-specific, and engaging, teams are more likely to retain and apply security principles in their daily work.

Vikk's top 3 tips for successful security training:

1.Individualise and automate! Build different training tracks based on the roles in your organisation. A CEO will have different training needs than a backend developer.

2.Keep training short and interactive to increase engagement and learning.

3.Benefit from some of the free tools out there:

• Microsoft’s Security Engineer Skill Assessment

• Amazon’s Information Security Awareness Training and

• Interactive phishing quiz for a Google Mail context

This training overview is shared as part of a project funded by NCC-SE and MSB.