You cannot overstate the importance of training and education in terms of mitigating the risks associated with cyberattacks. However, you need to plan how the training and education program aligns with your organisation’s defined job roles, so that you get the best bang for your buck – and overall impact on your organisation’s security posture.
Many people not working in cybersecurity don’t realise just how complicated it really is. Often the capabilities individuals need to deliver the requirements of their job role are misunderstood by management. Some think it’s all about just running an antivirus product or installing a firewall.
Furthermore, given the vast array of certifications available in an overcrowded market – CISSP, OSCP, CISM, CISMP, CIPM, etc. – it’s difficult to even know where to start.
A major issue many discover is that the CISSP, for example, requires five years of experience and is a hard exam to pass. This constraint helps keep the certification for those who have the relevant experience to be called a security professional, but there are many ways to add value to your organisation’s security program without the CISSP credential. If you need to hire someone, first consider what that person needs to do their job and which certifications may help. This blog post looks at the world of cyber training and education and offers suggestions that will help you be successful.
The Skills Gap: Fact or Fiction?
Over the past decade, much has been written on the global cyber security skills shortage. There is debate on whether this skills shortage is as bad as it’s being made out to be. Evidence does suggest that the issue is real, but clouded by a misalignment of job roles across industries and nations. It does appear that there are not enough adequately skilled cyber security professionals to fill all the roles out there, so what can organisations do to address this?
The first question to ask yourself is whether you should recruit externally or attempt to upskill internally, targeting people with the right mindset and appetite to give security a try. If you decide to hire externally, the tightly worded job roles are vital to success. But don’t overdo the description or look for a blend of skills that limit your success. Cyber security is a wide and varied industry, if you consider all the possible roles, from senior executives to forensic investigators, pen testers, architects and developers, most people won’t have the skills to be a superstar in all areas.
In Australia, confusion reigns supreme over who cyber security professionals are in terms of experience, skills, maturity and certifications. No industry body has taken the time to define what job roles are required (this was done elsewhere, such as in the UK by the IISP), so hiring managers going to market for, as an example, a senior security architect, will end up with CVs from endpoint security specialists, firewalls engineers and network architects, all of whom are likely skilled in their own specialisms, but not security architects. If you combine this issue with the wide range of certifications and certification bodies, along with market acceptance of those certifications, it’s little wonder recruiters and hiring managers can’t find the right staff.
We believe that the skills gap isn’t as clear cut as it’s made out to be and if job role definitions and continuing professional development was tightly coupled, then organisations would be better to create their own security professionals than trying to force ill-fitting new hires into a role.
Hiring junior team members in the security team and mentoring them (as long as you have the senior leadership) is also a valid approach and one that has yielded great results; it’s also an approach that has been mobilised in other professional industries with great success. The notion of running an internal apprenticeship scheme can then be integrated into your team’s career development plans, where formal training can be mixed with on-the-job experience and mentoring.
Are Job Role Maturity Models Worthwhile?
Skills for the Information Age (SFIA) is a skills and competency framework that demonstrates how job roles and skills (and experience) relate to business activities. SFIA lists the competencies expected of cyber security professionals at each level of seniority, from junior analyst roles all the way up to CISOs, security architects and consultants.
By aligning SFIA with your career development programme, you can map the competencies required in each job role, then list the baseline competencies for each level of seniority. When you profile one of your team, you identify the gaps in their experience or knowledge that need addressing before they can be promoted, which makes the discussion about progression and readiness easy.
Furthermore, if you define these job roles using SFIA, they will have meaning when you go to external recruitment. If you go to market for a security architect and state you want a level 2 senior security architect, as defined in SFIA, then you can have the recruitment agency filter through only those candidates with the requisite level of capability.
Experience Matters – Incident Response
Some security certifications are so broad that they teach little in terms of practical application of skills. CISSP is a good example, where the certification doesn’t help security professionals do their day job, rather it’s testament that the person with the CISSP has a wide knowledge and requisite experience: more like a licence to operate than a skills uplift. We believe that continual on-the-job training is a more effective way of learning security, with courses in specific disciplines such as risk management, report writing, business case writing, etc. also factored into development plans.
The incident management discipline is a great example of where it is necessary to gain experience responding to real attacks before you can expect to lead a response activity. When you are in the middle of handling a cyber catastrophe, with systems malfunctioning, malware breaking out across multiple networks and senior managers screaming for answers, you’ll be under enormous pressure. No amount of classroom roleplaying prepares someone for dealing with a major incident, however, companies can model threats and business impacts, so the basic premises of what constitutes an incident are understood by everyone.
The security operations team can focus on building playbooks – standard response plans – for each of your incident categories, documenting the basic steps of what to do during the attack. This is how response-oriented professionals prepare: take the fire service, for example. Fire response teams will plan how to extinguish different kinds of fires: chemical fires are different to house fires, which are different to bushfires. They would never rush into a bushfire situation without a plan. Their team would gather information from as many sources as possible; from the Bureau of Meteorology, from local law enforcement and DFES. This is known as situational awareness. Proper preparation and planning, with data from meteorological reports and local geography, help them make good decisions and save lives. They would never send an inexperienced firefighter, straight from college, to the frontline, even if she had perfect grades.
Professional training courses in cyber security disciplines like incident response do exist and you can push your team through this training path as part of their development programme. ISO 27035 training, for example, will teach your team the processes they should adopt to respond to a cyber-attack. However, formal training should always be followed by a series of exercises and fire drills to put them under pressure, even if simulated. If you run a programme of increasingly complex tests that check the limits of their ability, allowing them to work as both contributing SMEs and as the incident manager.
By doing this, you can watch how the team works together and monitor the efficacy of the response plan, thus honing the processes as you go and transforming the team from enthusiastic apprentices into battle-ready operatives.
What About End User Awareness Training?
Security awareness training is another aspect of education that receives a lot of criticism. Evidence shows that no matter how many hours of awareness training users take, the number of incidents from phishing attacks and password reuse (two of the most prominent reasons why people are compromised) hasn’t materially decreased. The explanation for this apparent failure is relatively simple to identify, but harder to fix.
Our approach to security awareness builds on basic awareness by incorporating elements of continual professional development into programme design. When staff resume their day jobs in sales, marketing, planning, research and delivery, their mindset shifts from security back to the task in hand. If a sales manager is in a hurry to clear his inbox before a customer meeting, he won’t be thinking about being a phishing target. He certainly isn’t stupid or irresponsible (as many IT administrators would tell you), rather he is a busy, successful professional with a lot on his mind, which often doesn’t correlate with caution and consideration of abstract threats such as cyber security.
Security awareness needs to be a target for the executive leadership team, with stakeholders like the HR team and workforce planning also included as stakeholders to make it successful. If security can be made meaningful and integral to how people are in your organisation, the continual reminders make it second nature for staff to consider threats.
Our approach is that we help you affect change by designing a programme that incorporates training, briefings, technology, fire drills (internal phishing campaigns to test efficacy), letters – or videos – from the CEO and briefings cascaded through management to staff in town hall meetings. Posters, mailshots and prizes for staff who spot security issues (much like staff being asked to report health and safety issues) are useful techniques for raising awareness. Targeted awareness for specific job roles is also a beneficial approach, where managers, system administrators, reception staff and mobile workers have different things to think about, and this targeted content will make your training stick.
For more information on cyber training and education, contact Sekuro today to talk to an expert.