Today's fast-paced digital world means the number of cyberthreats are multiplying by the minute and organizations' IT environments are in a constant state of flux. Couple this with the shortage of skilled IT talent, and it's no wonder why companies have a hard time keeping their staff armed with the most pressing and valuable cybersecurity training.
Enterprises do appear to hear the alarms. The Life and Times of Cybersecurity Professionals report from ESG and ISSA states that 69 percent of organizations planned to increase cybersecurity spending in 2017. And it reaffirms what many in the industry have discussed for some time now: cybersecurity skills development is still a critical concern. The report cites a number of factors as to why, including employees needing to more work with less, companies' focusing on training junior employees instead of paying premium salaries for industry experts (it's also an extremely tight job market), and also placing a greater priority on areas other than training. And the issue is not just felt at the management level, “27 percent of cybersecurity professionals say that the cybersecurity skills shortage has had a significant impact on their organizations,” according to the report.
So, what do you need to do to optimize your preparedness? The Three Critical Factors in Building a Comprehensive Security Awareness Program report from Joanna G. Huisman of Gartner, Inc. boils a comprehensive security awareness program down to just three pillars:
1. Pervasive Communication Tools for ongoing reinforcement and rewards for taking action.
2. Engaging Education Tools to help the audience understand their responsibilities in protecting the enterprise.
3. Attack Simulations to identify key pockets of risk within the enterprise audience and to test their ability to detect attacks.
Following are ways to help integrate these best practices and pillars into your organization to help ensure your company is not reducing training to just a check-box item, but making it an engaged and interactive part of your team's professional development.
Make Training a Leadership Discussion
Investing in your people is critical to employee engagement and the health of your business. Security training should not be relegated to just the HR department and doing the minimal effort. Training and development needs to come from the top. After all, the CISO is responsible for the company's cybersecurity. If the boss is committed to the team's training, it will resonate throughout your entire organization.
Although your entire workforce (and vendor ecosystem, if you want to be thorough) needs cybersecurity education, not all employees require the same level of training. For example, for non-technical employees, simple awareness may be enough; while your IT and security teams will require deeper dives and expertise in your IT environment, use of your existing cybersecurity tools, and proper response and policies in case of actual attack. Luckily, there are a wide variety of training tools and options at your disposal to create the optimal mix of training for your team. Knowing your options will best help you determine where to focus to provide the best ROI.
Here's a look at popular types of training options available:
· Awareness programs: There are sources for security information bundled in ready-to-launch newsletters that alert employees to the latest threats. You can share these as is, supplement them with additional information or create your own from scratch. You can also enlist HR to add to posters and other distribution points around your offices.
· Cybersecurity events: Cybersecurity events offer a mecca of information, innovation, and inspiration. Both technical employees and managers can learn how to improve cybersecurity by sharing knowledge with the gathered group of tech enthusiasts, security experts, industry leaders and peers.
· Online courses: A variety of courses address both security fundamentals, awareness and the in-depth technical aspects of the most crucial areas of IT security. These courses are prepackaged and ready for employees to register and start.
Help Your Team Know Your Infrastructure Inside and Out
If you do get attacked, you must ensure that your IT and cybersecurity teams are able to defend and protect your business immediately and as effectively as possible. Your team not only needs technical training to understand threats, they must also have a strong understanding of your entire IT environment, including the cybersecurity tools that are already in place. Start with technical training first and work with your security vendors to ensure your team is updated on all the tools available to them. Training should focus on two main areas:
· Certification programs: Certification programs help ensure that your employees or contractors meet uniform levels of skills and experience. Entry-level certifications teach basic foundation principles, best practices, important tools, and the latest technologies. Intermediate and expert-level certifications are offered to those with extensive job experience.
· Vendor trainings: If you have already invested in vendor solutions to protect your systems and data, then you'd be well off making sure that your employees are following all best practices and are aware of and know how to use their latest features. Vendor trainings are often offered in multiple formats, from recorded sessions to hands-on labs.
Move Away from Theory and into the “Real World”
For the security and IT personnel who need to protect your systems, there is no better way to learn and prepare for an actual incident than hands-on practice with realistic scenarios in a safe, sandboxed replica of your IT environment and or at a cyber range. Taking a cue from government and military applications and training, cyber range deployments are on the rise in the private sector as they mimic real-world events and scenarios in a lab environment. Participants work in offensive and defensive teams and learn how to evaluate situations and apply the correct policy and response for specific attack situations.
Most cyber ranges are run with onsite instructors and require participants to travel to the location, which can be expensive, and may in fact, be overkill. If you are an enterprise and not responsible for a major public utility, such as a power grid, water supply or an air traffic control system, some of the exercises offered may go above and beyond what your employees need to know. And even if a cyber range can replicate your exact environment (without too much time or expense), you still have to pay for the time and travel out of the office for your team and your already lean team will be even leaner while they are away.
Not ready for a cyber range investment? Some alternatives include:
· Penetration testing programs: Penetration testing is an ideal way for enterprises not only to assess their existing security systems and vulnerabilities, but also to improve employee resistance to different kinds of social engineering attempts.
· Virtual training labs: As opposed to going to a full-fledged cyber range, enterprises can employ their own virtual training labs to provide their employees with laser-focused cyberattack training on exact replicas of their environment. Scripts can be injected enabling employees to learn how to respond to malicious attacks in a safe realistic environment. Remote access eliminates the need to send trainers and employees to a distant classroom and allows learners to continue to perform their normal job duties between sessions.
By carefully planning the appropriate training for the relevant personnel, you can keep your organization safer and better equipped to handle the threats and attacks facing your enterprise today.