Content

Lessons learned: Can education solve cybersecurity’s “people” problem?

Irony can be a cruel teacher.

In 2017, an admin at Deloitte disabled multi-factor authentication on their own account, opening a path to a major breach; quite an embarrassment for a Big Four cybersecurity consultancy. Then, there’s the BAE Systems survey of senior managers in which 40 percent confessed they didn’t really understand their own cybersecurity protocols. Any wonder why C-level executives are prime targets of cybercriminals?

Yes, the single greatest asset of most companies, its people, can be its greatest weakness, too. And as cybersecurity pros know, we’re at a particularly vulnerable point in history.

We’ve all heard the predictions of 3.5 million unfilled jobs in cybersecurity by 2021. It’s unsettling, but worse is the lack of support for developing skilled and qualified personnel, as well as the continuing education necessary for keeping dream employees from becoming security nightmares.

While massive investments continue to be made in infosec products and services – projected by Gartner to hit $124 billion in 2019 – cybersecurity’s people problem can actually be mitigated for far less money. From the boardroom to IT labs, in cubicles and in front of job candidates, a focus on promoting a learning culture that reaches all levels provides a great return on investment.

Best of all, reducing cyber incidents through education and training is achievable and will enable your organization to avoid the devastating slipups caused by unsophisticated attacks as well as the more sophisticated ones, both particularly important considering the high profile publicity around damaging data breaches and attacks. That said, the following can help CISOs and IT leaders cultivate the right security environment in their organizations.

Getting support, setting a tone

Creating a learning culture starts at the top. That means CISOs must have the full buy-in of the C-suite and board of directors, both financially and as a company-wide mandate.

Last year a Ponemon Institute study identified more than 20 factors that decrease or increase the financial toll of a data breach. The third most effective method - bested only by encryption and an incident response team - is training. Yet, according to ESG analysts, nearly two-thirds of organizations aren’t providing the training needed to keep up with business and IT risks.

With this in mind, the benefits of education need to be communicated to decision-makers and funds must be earmarked for training initiatives and tools. Once they’re aware of the extent of cyberattacks and the potential impact on your business, their accountability has risen and you’re halfway there.

Communicating in their language will close the gap. That means tying a stronger security posture through training to the bottom line, including messaging that covers such things as decreased regulatory exposure, increased uptime and productivity, reduced IT costs, and improved customer retention. Additionally, support these benefits with reporting they’ll understand and data that provide financial justification. 

Further, a CISO should have the green light to set the tone that security is a priority and active participation is required by everyone throughout the company. And as the security evangelist, all related communications should come from the CISO’s office.

Be the hub of activity and generate awareness with regular internal communications. For instance, has there been an attack in the news that easily could have been prevented? Is there a new report on the cost of breaches?

These are teachable moments – pass along the information in brief and put it into an educational context.

Teach them and reach them

A report by infosec company Shred-it, noted employee negligence continues to be the biggest cyber risk to business, making education and cyber awareness essential for all employees. IT teams will need to lead organizations in cyber preparedness and ensure all employees are knowledgeable and understand best security practices. Their deep level of understanding and knowledge of the security issues from an awareness and technical aspect is essential to combat the inevitable breach. Nothing sticks like a hands-on experience, and luckily virtual IT labs provides this type of solution. With virtual IT labs, you enable IT teams to practice required defensive tasks and techniques by experiencing an attack in a safe, realistic environment.

Choosing the right hands-on training solution, however, is critical to achieving success. A good cloud-based virtual IT labs solution can scale to accommodate any size group and future company growth, while eliminating costs such as instructor and learner travel and labor-intensive deployment.

The solution also needs to spin up realistic, hands-on training environments quickly and support multiple learning scenarios. For example, it should support self-paced modules, which allow employees to complete training when and where it’s most convenient as well as real-time instructor-led trainings, which are useful for dealing with complex issues and new threats. Your virtual IT labs should support both scenarios.

Supporting IT

When it comes to helping IT teams, there are specific features you’ll want to have in your virtual IT lab that can increase the effectiveness of complex trainings. For instance, enterprises have increasingly been turning to multi-step classes, in which instructors lead students between environments. Being able to easily move from level to level logically, and without interruption, increases comprehension, but it also avoids the overhead and bureaucracy involved in creating and conducting multiple classes. 

Another popular feature is the ability for instructors to view what participants are doing in real-time, and barge in and help them when necessary. Immediate monitoring enables an instructor to recognize when students need help.

Furthermore, consider allowing your IT employees to participate in technical certification programs, which are often carried out via a training lab solution, giving them the opportunity to learn best practices and increase their knowledge retention by learning by doing. This shows an employee you’re invested in their career development, helping to retain talent, increase staff motivation and deepen the skill level on your IT bench.

Learning to grow

Enterprises will continue to grapple with cybersecurity issues and a talent shortage for the foreseeable future. However, with initiatives that educate and create a learning culture, they can reduce risks across the board and increase capabilities in key areas.

It’s a process that needs to begin the moment an employee begins. Those enterprises that fully grasp the importance of such education – and invest in the tools needed to provide it - will be a better position to confront the security challenges of today and tomorrow.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.