Cyber Training and Education Makes a Real Difference

You cannot overstate the importance of training and education in terms of mitigating the risks associated with cyberattacks. However, you need to plan how the training and education program aligns with your organisation’s defined job roles, so that you get the best bang for your buck – and overall impact on your organisation’s security posture.

Many people not working in cybersecurity don’t realise just how complicated it really is. Often the capabilities individuals need to deliver the requirements of their job role are misunderstood by management. Some think it’s all about just running an antivirus product or installing a firewall.

Furthermore, given the vast array of certifications available in an overcrowded market – CISSP, OSCP, CISM, CISMP, CIPM, etc. – it’s difficult to even know where to start.

A major issue many discover is that the CISSP, for example, requires five years of experience and is a hard exam to pass. This constraint helps keep the certification for those who have the relevant experience to be called a security professional, but there are many ways to add value to your organisation’s security program without the CISSP credential. If you need to hire someone, first consider what that person needs to do their job and which certifications may help. This blog post looks at the world of cyber training and education and offers suggestions that will help you be successful.

The Skills Gap: Fact or Fiction?

Over the past decade, much has been written on the global cyber security skills shortage. There is debate on whether this skills shortage is as bad as it’s being made out to be. Evidence does suggest that the issue is real, but clouded by a misalignment of job roles across industries and nations. It does appear that there are not enough adequately skilled cyber security professionals to fill all the roles out there, so what can organisations do to address this?

The first question to ask yourself is whether you should recruit externally or attempt to upskill internally, targeting people with the right mindset and appetite to give security a try. If you decide to hire externally, the tightly worded job roles are vital to success. But don’t overdo the description or look for a blend of skills that limit your success. Cyber security is a wide and varied industry, if you consider all the possible roles, from senior executives to forensic investigators, pen testers, architects and developers, most people won’t have the skills to be a superstar in all areas.

In Australia, confusion reigns supreme over who cyber security professionals are in terms of experience, skills, maturity and certifications. No industry body has taken the time to define what job roles are required (this was done elsewhere, such as in the UK by the IISP), so hiring managers going to market for, as an example, a senior security architect, will end up with CVs from endpoint security specialists, firewalls engineers and network architects, all of whom are likely skilled in their own specialisms, but not security architects. If you combine this issue with the wide range of certifications and certification bodies, along with market acceptance of those certifications, it’s little wonder recruiters and hiring managers can’t find the right staff.

We believe that the skills gap isn’t as clear cut as it’s made out to be and if job role definitions and continuing professional development was tightly coupled, then organisations would be better to create their own security professionals than trying to force ill-fitting new hires into a role.

Hiring junior team members in the security team and mentoring them (as long as you have the senior leadership) is also a valid approach and one that has yielded great results; it’s also an approach that has been mobilised in other professional industries with great success. The notion of running an internal apprenticeship scheme can then be integrated into your team’s career development plans, where formal training can be mixed with on-the-job experience and mentoring. 

Are Job Role Maturity Models Worthwhile?

Skills for the Information Age (SFIA) is a skills and competency framework that demonstrates how job roles and skills (and experience) relate to business activities. SFIA lists the competencies expected of cyber security professionals at each level of seniority, from junior analyst roles all the way up to CISOs, security architects and consultants.

By aligning SFIA with your career development programme, you can map the competencies required in each job role, then list the baseline competencies for each level of seniority. When you profile one of your team, you identify the gaps in their experience or knowledge that need addressing before they can be promoted, which makes the discussion about progression and readiness easy.

Furthermore, if you define these job roles using SFIA, they will have meaning when you go to external recruitment. If you go to market for a security architect and state you want a level 2 senior security architect, as defined in SFIA, then you can have the recruitment agency filter through only those candidates with the requisite level of capability. 

Experience Matters – Incident Response

Some security certifications are so broad that they teach little in terms of practical application of skills. CISSP is a good example, where the certification doesn’t help security professionals do their day job, rather it’s testament that the person with the CISSP has a wide knowledge and requisite experience: more like a licence to operate than a skills uplift. We believe that continual on-the-job training is a more effective way of learning security, with courses in specific disciplines such as risk management, report writing, business case writing, etc. also factored into development plans.

The incident management discipline is a great example of where it is necessary to gain experience responding to real attacks before you can expect to lead a response activity. When you are in the middle of handling a cyber catastrophe, with systems malfunctioning, malware breaking out across multiple networks and senior managers screaming for answers, you’ll be under enormous pressure. No amount of classroom roleplaying prepares someone for dealing with a major incident, however, companies can model threats and business impacts, so the basic premises of what constitutes an incident are understood by everyone.

The security operations team can focus on building playbooks – standard response plans – for each of your incident categories, documenting the basic steps of what to do during the attack. This is how response-oriented professionals prepare: take the fire service, for example. Fire response teams will plan how to extinguish different kinds of fires: chemical fires are different to house fires, which are different to bushfires. They would never rush into a bushfire situation without a plan. Their team would gather information from as many sources as possible; from the Bureau of Meteorology, from local law enforcement and DFES. This is known as situational awareness. Proper preparation and planning, with data from meteorological reports and local geography, help them make good decisions and save lives. They would never send an inexperienced firefighter, straight from college, to the frontline, even if she had perfect grades.

Professional training courses in cyber security disciplines like incident response do exist and you can push your team through this training path as part of their development programme. ISO 27035 training, for example, will teach your team the processes they should adopt to respond to a cyber-attack. However, formal training should always be followed by a series of exercises and fire drills to put them under pressure, even if simulated. If you run a programme of increasingly complex tests that check the limits of their ability, allowing them to work as both contributing SMEs and as the incident manager.

By doing this, you can watch how the team works together and monitor the efficacy of the response plan, thus honing the processes as you go and transforming the team from enthusiastic apprentices into battle-ready operatives. 

What About End User Awareness Training?

Security awareness training is another aspect of education that receives a lot of criticism. Evidence shows that no matter how many hours of awareness training users take, the number of incidents from phishing attacks and password reuse (two of the most prominent reasons why people are compromised) hasn’t materially decreased. The explanation for this apparent failure is relatively simple to identify, but harder to fix.

Our approach to security awareness builds on basic awareness by incorporating elements of continual professional development into programme design. When staff resume their day jobs in sales, marketing, planning, research and delivery, their mindset shifts from security back to the task in hand. If a sales manager is in a hurry to clear his inbox before a customer meeting, he won’t be thinking about being a phishing target. He certainly isn’t stupid or irresponsible (as many IT administrators would tell you), rather he is a busy, successful professional with a lot on his mind, which often doesn’t correlate with caution and consideration of abstract threats such as cyber security.

Security awareness needs to be a target for the executive leadership team, with stakeholders like the HR team and workforce planning also included as stakeholders to make it successful. If security can be made meaningful and integral to how people are in your organisation, the continual reminders make it second nature for staff to consider threats.

Our approach is that we help you affect change by designing a programme that incorporates training, briefings, technology, fire drills (internal phishing campaigns to test efficacy), letters – or videos – from the CEO and briefings cascaded through management to staff in town hall meetings. Posters, mailshots and prizes for staff who spot security issues (much like staff being asked to report health and safety issues) are useful techniques for raising awareness. Targeted awareness for specific job roles is also a beneficial approach, where managers, system administrators, reception staff and mobile workers have different things to think about, and this targeted content will make your training stick.

For more information on cyber training and education, contact Sekuro today to talk to an expert.

 

 

Scroll to Top

Aidan Tudehope

Co-Founder of Macquarie Technology

Aidan Tudehope, Co-Founder of Macquarie Technology

Aidan is co-founder of Macquarie Telecom and has been a director since 1992. He is the Managing Director of Macquarie Government & Hosting Group with a focus on business growth, cyber security and customer satisfaction. 

Aidan has been responsible for the strategy and execution of the investment in Intellicentre 4 & 5 Bunkers, Macquarie Government’s own purpose-built Canberra data centre campus. This facility is leveraged to deliver Secure Cloud Services and Secure Internet Gateway.

With a unique pan-government view on the cyber security landscape, we are invested in leading the contribution from the Australian industry on all matters Cyber policy related.

Aidan holds a Bachelor of Commerce Degree.

James Ng

CISO, Insignia Financial

James Ng, CISO, Insignia Financial

James is a leader with a range of experience across various cyber security, technology risk and audit domains, bringing a global lens across a diverse background in financial services, telecommunications, entertainment, consulting and FMCG (Fast Moving Consumer Goods). He is currently the General Manager – Cyber Security at Insignia Financial and most recently was at AARNet (Australia’s Academic and Research Network) where he oversaw a managed Security Operations Centre (SOC) capability for Australian universities. Prior to this James was the acting Chief Information Security Officer for Belong and led the cyber governance and risk team at Telstra.

Noel Allnutt

CEO, Sekuro

Noel Allnutt CEO | Sekuro

Noel is a driven and award-winning IT leader. He has a passion for developing great teams and accelerating client innovation, and in enabling organisations to create a secure and sustainable competitive advantage in the digital economy. Noel also hosts the ‘Building Resilience Podcast,’ which explores the world of sport and deconstructs the tools and ethos of world-class athletes that can help create growth and optimise business and life.

Audrey Jacquemart

Bid Manager, Sekuro

Audrey Jacquemart, Bid Manager, Sekuro

Audrey is an innovative cybersecurity professional with a versatile profile spanning across Product Management, Presales and Delivery. She has worked within organisations from start-ups to large international organisations in Europe and APAC before joining Sekuro.

Nicolas Brahim

Principal Consultant, CRP and OT

Nicolas Brahim, Principal Consultant, CRP and OT

Nico leads Sekuro’s Cyber Resilience Program and OT Cybersecurity, ensuring continuous support and effective program execution for our clients. With over a decade in the security industry, including the creation and leadership of several Security Programs for IT and OT across Australia, New Zealand, Argentina, Chile and the US, his core philosophy emphasises an equal balance of people, process, and technology in delivering actionable and simple solutions.

Trent Jerome

Chief Financial Officer, Sekuro

Trent Jerome

Trent is a seasoned CFO with over 30 years’ experience in Finance. Trent has broad experiences across Capital raises, debt financing, M&A and business transformation. He is a CPA and member of AICD. Trent works with Boards around risk and risk mitigation plans and assists Boards in navigating the risk mitigation versus cost conversation.

Ada Guan

CEO and Board Director, Rich Data Co

Ada Guan, CEO and Board Director, Rich Data Co

Ada is the CEO and Co-founder of Rich Data Co (RDC). RDC AI Decisioning platform provides banks the ability to make high-quality business and commercial lending decisions efficiently and safely. With over 20 years of global experience in financial services, software, and retail industries, Ada is passionate about driving financial inclusion at a global scale.

Before launching RDC in 2016, Ada led a Global Client Advisor team at Oracle Corporation, where she advised Board and C-level executives in some of the largest banks globally on digital disruption and fintech strategy. She also drove Oracle’s thought leadership in banking digital transformation for Global Key Accounts. Previously, Ada implemented a multi-million dollar program to deliver a mission-critical services layer for Westpac Bank in Australia and formulated the IT strategy that was the basis of an $800m investment program to transform Westpac’s Product and Operation division and complete the merger with St. George Bank. Ada is an INSEAD certified international director and holds an EMBA from the Australia Graduate School of Management, and a Master of Computer Engineering from the University of New South Wales, Australia. She also graduated from the Executive Insight Program at Michigan University Ross Business School and IESE Business School.

Megan Motto

Chief Executive Officer, Governance Institute of Australia

Megan Motto, CEO, Governance Institute of Australia

Megan Motto is Chief Executive Officer of Governance Institute of Australia, a national education provider, professional association and leading authority on governance and risk management. The Institute advocates on behalf of professionals from the listed, unlisted, public and not-for profit sectors.

Megan has over 25 years of experience with large associations, as a former CEO of Consult Australia, as well as holding significant positions in Australia’s built environment sector and business chambers.

She is currently a director of Standards Australia, a member of the ASIC Corporate Governance Consultative Panel and a councillor of the Australian Chamber of Commerce and Industry (ACCI) where she chairs the Data, Digital and Cyber Security Forum.

Megan’s expertise spans governance, risk management, public policy and education. She holds a Bachelor of Arts/Bachelor of Education, a Masters of Communication Management and a Graduate Diploma of Corporate Governance and Risk Management. She is a Fellow of the Governance Institute of Australia, the Chartered Governance Institute and the Australian Institute of Company Directors and is also a member of Chief Executive Women. Megan is also an Honorary Life Trustee of the Committee for Economic Development of Australia (CEDA) and was a 2014 recipient of the AFR/Westpac 100 Women of Influence.

Shamane Tan

Chief Growth Officer, Sekuro

Shamane Tan, Chief Growth Officer, Sekuro

Sekuro’s Chief Growth Officer, Shamane Tan, is passionate about uniting minds and experiences, excelling in aligning C-Suite and Board members with cyber security imperatives. As the author of “Cyber Risk Leaders,” she unravels executive communication nuances and distils C-Suite expectations. 

Her work extends to “Cyber Mayday and the Day After,” a roadmap for navigating crises by mining the wisdom of C-level executives from around the globe. It’s filled with interviews with managers and leaders who’ve braved the crucible and lived to tell the tale. Her most recent book, “Building a Cyber Resilience: A Cyber Handbook for Executives and Boards,” was featured on Forbes Australia’s top list of books for CEOs. 

Shamane has also founded a transcontinental cyber risk and executive meetup spanning Sydney, Melbourne, Adelaide, Perth, Singapore, the Philippines, and Tokyo, fostering mentorship, women’s empowerment and thought leadership. As a strong advocate for the importance of having a voice and helping others use theirs, Shamane Tan has spoken at TEDx and global conferences, including FS-ISAC, RSA, Silicon Valley, Fortune 500 and ASX companies. 

Recipient of the IFSEC Global Top 20 Cybersecurity Influencer award and named among the 40 under 40 Most Influential Asian-Australians, Shamane leverages her unique fusion of technical prowess and business acumen to help organisations progress on their security maturity journey.

David Gee

David Gee, CIO, CISO, NED, Board Advisor & Author

 

David Gee, CIO, CISO, NED, Board Advisor & Author

David has just retired in July 2024 and is building out his portfolio. He is an Advisor with Bain Advisory Network and also an Advisor to JS Careers (Cyber Recruitment) and Emertel (Software Commercialisation).

He is a seasoned technology executive with significant experience and has over 25 years’ experience in CIO and CISO roles across different industries and countries. At Macquarie Group David served as Global Head Technology, Cyber and Data Risk. Previously was CISO for HSBC Asia Pacific. His career as a CIO spans across multiple industries and geographies including – Metlife, Eli Lilly and Credit Union Australia. He was winner CIO of the Year 2014, at CUA where he successfully completed a significant Transformation of Core Banking, Online and Mobile Banking systems.

David is past Chairman for the FS-ISAC Strategy Committee and awarded Global Leaders Award in 2023 for his contributions to the cyber security industry. A regular conference keynote speaker and 150+ published articles for CIO Australia, Computerworld, iTnews and CSO (Cyber Security), David now writes for Foundry CIO.com and AICD.

His most recent book – the Aspiring CIO & CISO was published in June 2024 and David is writing his second – A Day in the Life of a CISO with a number of CISOs from around the world for 2025.

Naomi Simson

Co-founder, Big Red Group and Former Shark Tank Judge

Naomi Simson, Co-founder, Big Red Group

INTRODUCTION

For 25 years as an entrepreneur, Naomi Simson has been bringing people together whether it’s with her business experience, her speaking or writing. Passionate about small business and local community, Naomi is considered a home grown success story.

Naomi had a corporate career with Apple, KPMG, IBM and Ansett Australia prior to becoming an entrepreneur. She is a prolific blogger, podcaster and business commentator, and appeared as the #RedShark in four seasons of Shark Tank Australia and she appears regularly on ABC The Drum. She is a non-executive director at Big Red Group, Australian Payments Plus, Colonial First State and Weebit Nano, as well as the Cerebral Palsy Research Foundation and the University of Melbourne Business and Economics Faculty.

A true business leader and influencer, with more than 2.7 million LinkedIn followers, Naomi is Australia’s most followed person on the business networking platform. She has four seasons of her podcast ‘Handpicked’, and she has authored two best-selling books Live What You Love, and Ready to Soar, and is sought after speaker.

FULL BIO

For 25 years Naomi has been bringing people together whether it’s with her business experience, her speaking or writing. She is a strong advocate of business owners.

Known as an entrepreneur and business leader; following the growth of RedBalloon which she founded in 2001, Naomi co-founded the Big Red Group (BRG) in 2017.

Naomi had a corporate career with Apple, KPMG, IBM and Ansett Australia prior to becoming an entrepreneur. She is a prolific blogger, podcaster and business commentator, and appeared as the #RedShark in four seasons of Shark Tank Australia. She is a non-executive director at Big Red Group, Australian Payments Plus, Colonial First State and Weebit Nano. As well as the Cerebral Palsy Research Foundation and the University of Melbourne Business and Economics Faculty.

A true business leader and influencer, with more than 2.7 million LinkedIn followers, Naomi is Australia’s most followed person on the business networking platform. She has authored two best-selling books Live What You Love, and Ready to Soar, and is an engaging, humorous and insightful speaker. She has four seasons of her Podcast – Handpicked.

Naomi is relatable across a broad variety of audiences and topics, often drawing on her personal experiences to provide thoughtful and valuable views into topics; including the customer obsession, intentional leadership, growth mindset, personal development. She is a regular panellist on ABC The Drum.

Peter Ngo

Product Line Manager, Global Certifications, Palo Alto Networks

Peter Ngo | Sekuro

Peter leads the Commercial Cloud, Global Certifications organisation at Palo Alto Networks which oversees global cloud security compliance efforts to various frameworks and standards including IRAP, SOC 2, ISO, PCI, C5, ISMAP, and IRAP and more for 25+ cloud products.

He has held many roles over the years covering areas of IT Operations, and Governance, Risk, & Compliance (GRC) for a wide range of industries including technology, insurance, and manufacturing.

Peter holds various security and professional certifications, including the CCSP, CISSP, PCI ISA, CISA, CISM, CDPSE & ISO Lead Auditor, in addition to a Master of Science degree in Information Assurance. 

Jack Cross

CISO, QUT

Jack Cross | Sekuro

Jack Cross is an experienced business leader with expertise in digital technologies and risk management. Through a steadfast commitment to integrating people, processes, and technology, he champions the fight against cyber threats while mitigating organisational risks. 

Over the past 15 years, Jack has navigated diverse leadership roles within the Defence and Education sectors, honing his skills in steering multidisciplinary teams through intricate and sensitive technical landscapes. In addition to this experience, he holds numerous formal qualifications such as: a Master of Systems Engineering (Electronic Warfare); CISSP; and CISM certifications.

Nadene Serman

Global CTO, Infotrack

Nadene Serman | Sekuro

Nadene Serman is a leading IT executive with a proven track record spearheading first-of-its-kind technology and business transformation for some of the most prominent organisations globally and in Australia. As the Global Chief Technology Officer of InfoTrack, she is a key protagonist of innovation as an enabler of InfoTrack’s next stage growth. Her energy, commercial acuity and strategic capability have fueled her success.

Nadene leads with clarity, transparency and urgency, uniting people in complex, multi-layered technology and business execution, and go-to-market transformation and innovation. She tackles and resolves complex and seemingly intractable challenges while building support and collaboration – even in times of crisis. Her people-first, ‘think straight, talk straight’ approach makes her a formidable force.

John Doe

President Great Technology

Cyber Resilience Program | Sekuro

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.