Equifax, Verizon, Molina Healthcare, Deloitte, Whole Foods, Wendy’s… it seems like every time we turn on the television another high-profile data breach is being reported. Despite an unprecedented number of security tools on the market, breaches are occurring at a record pace. According to the Identity Theft Research Center, the number of breaches for the first half of 2017 increased by 29 percent from the same time period during 2016.
If we have more tools available than ever, why does is seem that security practices are consistently failing? All signs point to one clear industry-wide problem — the growing cybersecurity workforce shortage. Security teams are understaffed, overwhelmed by alerts and challenged with managing growing security stacks without the time to adequately prepare for emerging threats.
According to the Center for Strategic and International Studies (CSIS) report, “Hacking the Skills Shortage,” 82 percent of respondents reported a shortage of cybersecurity skills within their organizations and one in four respondents stated their organizations were victims of cyber thefts of proprietary data due to a lack of qualified workers.
What is needed to address this shortage and better prepare teams for the rapidly evolving threat landscape? Industry analysts, such as Gartner, advocate moving toward “people-centric security,” which lessens organizations’ reliance on a massive stack of tools and a compliance checkbox mentality in favor of a more powerful human element in fending off attacks and reducing security errors.
With networks growing in complexity and new threats emerging at an unthinkable pace, it is imperative that organizations focus on core skills and address cybersecurity training as more than a compliance checkbox. It has become a business-critical investment.
Traditional versus next generation cybersecurity training
For most organizations, the training budget is generally allocated per person and used by individuals to attend a conference or classroom training event in order to learn about new threats and expand their skill sets. This frequently requires travel, which takes vital team members off the front lines for days at a time. Traditional training course updates are cumbersome and take time to publish. Other shortcomings involve retention and effectiveness. Research shows that individuals lose 90 percent of information within one week of traditional classroom training.
If we are to follow the guidance of industry experts and embrace people-centric security, a paradigm shift is required. The next generation of cybersecurity training must be agile enough to adapt to emerging threats. It should engage users in realistic environments through repetition and active learning principles, while utilizing features such as machine learning and artificial intelligence (AI) to quickly adapt content.
With the Internet of Things, hybrid cloud infrastructure and a growing demand for mobile enterprise applications creating more complex technology stacks, the element of realism is critical to preparing security teams. We would not expect a gold medal to be awarded to a swimmer who learns merely from videos and classroom conversation about the newest butterfly technique.
Olympians must practice those skills repetitively in a competition pool in order to be at peak condition for a race. Similarly, we cannot expect our cyber defense teams to learn only from traditional lecture-based training. Training with real-world tools in high-fidelity virtual environments against actual threat adversary malware is the future of cybersecurity training.
Next generation cybersecurity training utilizes a team approach
Training and workforce development must also be approached with a team perspective in mind. A soccer coach does not send players home individually to practice alone. The result would be a group of players with overlapping skills and no real understanding of plays or team strategy—in this case, the opponent would most certainly win.
Likewise, it is important for cyber teams to train together to defend against the top threats. Teams that consistently practice their skills, particularly incident response tactics and event handover, as an integrated team are more confident, quick and effective in their response to cyberattacks. Training as a team is further enhanced when using training platforms that replicate the organization’s environment, including realistic threat scenarios, network traffic and the tools cyber teams have each day at their disposal.
The team approach will also better engage team members when including the concept of gamification. Consider challenges that replicate real world attack scenarios with rewards for completion and improvement, or enable your red and blue teams to “face off” in order to spark excitement and make training more enjoyable. Earning skill points also serves as a mechanism to demonstrate proficiency that leads to better retention of these scarce professionals.
Training as a team also gives cyber team leaders a more thorough understanding of cyber readiness, including any skills gaps, which helps to guide future training efforts. This holistic view of readiness can help to identify areas of vulnerability as well as help guide strategic workforce development and technology purchases.
Introducing next generation cybersecurity training
As we move to the people-centric approach to security, chief information security officers (CISOs) should first look at the way their cyber team or teams are structured. Are they meeting all the important tasks/skills/roles recommended by the National Institute for Cybersecurity Training (NICE) Cybersecurity Workforce Framework and National Institute of Standards and Technology (NIST) Cybersecurity Framework? Where are there gaps and how can these gaps be addressed through cross-training existing team members? Look at existing training programs to determine if you are taking the team approach because now is the time to make the necessary changes to embrace the next generation of training.
Often times, training budgets can be reallocated to allow for investments in technology that enable next generation cybersecurity training. When approaching senior leadership for additional funding, CISOs should use cyber readiness assessments to position training as a critical investment.
Adversaries are well funded with time to develop threats that cripple unprepared organizations. The attacker only has to be right once, while understaffed security teams work tirelessly to protect their networks every day. As an industry, we must arm these cyber defenders with the skills they need to be successful.
By transforming the approach to training, we can more efficiently and effectively build a highly skilled cybersecurity workforce that is better prepared to address emerging threats in complex enterprise environments.