I don’t need to tell you that it’s a tough time to be a cyber-defender. Attacks are growing increasingly sophisticated, as are the tools needed to detect them. Multi-vector threats that move laterally from IT to OT and IoT networks can cause substantial physical damage. Time sensitive malware like ransomware or fileless attacks crank the pressure up further.
CISOs and SOC managers can’t combat cyberattacks without technology, and of course they want the most advanced defense tools available. These tools, however, require substantial expertise, but the teams who use them are usually understaffed and underqualified. And rarely are SOC teams trained on how to deal with a live cyberattack in a real-world setting.As a result, most SOC staff members will experience a major incident for the first time on the job. Nevertheless, they will be expected to understand the situation in a split second and manage it flawlessly.
What good is an arsenal of fancy cyber weapons if your team members haven’t mastered them and even practiced the relevant playbooks? And how can we expect our SOC teams to identify and respond to an incident which they’ve never seen before?
When you consider how critical digital assets are to most organizations and how prevalent cyberattacks are, it’s a no brainer that organizations should require mandatory training for all security analysts. From fresh recruits to senior aces, SOC staff that practices for cyberattacks will be prepared in advance for the attack, and understand how to work TOGETHER as a well-oiled cyber security machine.
This is, in my view, the most troubling aspect of the cybersecurity skills “gap.”
“By failing to prepare, you prepare to fail”
Problem solving under pressure, when the stakes are high is a challenge experienced by pilots, air traffic controller, doctors and first responders every day. These professionals are required to assess situations in real-time, make split second decisions against a ticking clock, and use – as a team and as individuals, sophisticated technologies in highly distracting environments. The cost of error is high and there is often no second chance to fix it.
These industries also use experiential learning — hands-on training and simulation to minimize errors and ensure their experts can perform as needed, before they even get to see a patient, aircraft, or a control tower. Simulating day-to-day scenarios and crisis scenarios repeatedly, enables trainees to correct errors and improve their performance – as individuals and as a team, so when an actual crisis occurs it is handled efficiently.
Cybersecurity is already heading that way, but now that cyberattacks can cause physical damage, we need to move towards it at a much faster clip. Why wouldn’t we want incident responders to experience real-life attacks in a safe environment using their day-to-day tools? Cyberattacks are ATTACKS and should be treated as such. SOC analysts are an enterprises’ front line defenders, and like any other first responder they should be required to demonstrate their fitness for duty by completing required simulated training program successfully.
This approach can not only be used to certify and train cybersecurity experts, it can also validate operational procedures and technologies. For example, new incident response playbooks will have to be run in a simulated environment before being approved. Just as all aircraft must complete wind-tunnel testing before completing production, all security technologies can and should be field tested and certified by an entity other than the vendor that made it. The same simulation platforms used for training SOC staff can be used to validate and certify new security products and assessing network resilience.
But the real value of simulated training is its impact on people. It helps them become more skilled at a given task, to acclimate and integrate new people onto a team, even to help prioritize purchasing and technology spend. Given the breadth and depth of the cybersecurity skills shortage, simulated training should very well be the most high value line item on your cybersecurity budget.
I often read about people being cybersecurity’s weakest link, but I beg to differ. I’ve seen time and time again how simulated training for SOC staff and especially full team training, transforms a company’s cyber defense capabilities. There may be some truth to people being cybersecurity ‘s weakest link, but with proper training, they are also by far, it’s strongest.
Adi Dar is CEO of Cyberbit