First of a 3-part series based on the CyberRisk Alliance/Immersive Labs eBook “Achieving Cyber Resiliency Through Workforce Optimization.”
Cyber workforce optimization is a set of skills built up not through rote memorization, but through interactive, dynamic exercises that boost each key employee's ability to respond to unforeseen threat scenarios.
New security threats will not fit pre-gamed scenarios. A decision-making executive or IT or SOC staffer needs to be able to think on their feet, and Immersive Labs' Cyber Workforce Optimization micro drills will prepare them for that.
Traditional cybersecurity training and its downsides
Most of us are familiar with traditional cybersecurity training. Large segments, or perhaps all, of an organization's staff must attend a group seminar that lasts all day. Slideshows are presented outlining different common threat scenarios. Employees are given quizzes at the end of each section to see what they've absorbed. Almost everyone passes, letting the company say its workforce has undergone proper training for the next 12 months.
But is this really the right way to do it? There's no doubt that this sort of training helps employees recognize threats like phishing emails and phony invoices. Yet many staffers will regard these long, dull sessions as a chore to be endured rather than an opportunity to learn. Get through the slideshow, take the quiz, see you next year — and in the long run, is your company better prepared?
Organizations that rely on these traditional, passive methods will be unprepared for new scenarios that were unforeseen in the training sessions. Skills will rust as the memory of the past year's training exercise fades away. Executives, IT staffers and SOC personnel may not know how to respond to the latest threats and may not be confident in their own abilities.
In short, organizations that rely on traditional cybersecurity training will be less cyber resilient than other, better-trained organizations in their ability to mitigate and bounce back from potentially damaging incidents.
"Traditional training focuses on giving people the knowledge and skills they need, but metrics tell you nothing more than who has completed training versus who hasn't," said John Blythe, director of cyber workforce psychology at Immersive Labs and a psychologist and behavioral scientist. "This is no longer enough to be cyber resilient. Organizations need to be able to test, measure and improve the cyber capabilities of their entire workforce at any time."
The Cyber Workforce Optimization approach and its benefits
Immersive Labs' Cyber Workforce Optimization platform provides a different, more effective approach. Instead of infrequent, passive sessions, Cyber Workforce Optimization offers each key decision-making employee a set of short, intense interactive exercises — Immersive Labs calls them "micro-drills" — that can be completed in a web browser in as little as 20 minutes.
Each exercise doesn't cover as much ground as a one-size-fits-all group training session, but it doesn't need to. The micro-drills are tailored to the employee's experience and skill set, so they don't waste time going over what the staffer already knows.
The exercises also must be done every six to eight weeks, so different scenarios and threats can be addressed each time, but each keeping the employee's responses sharp to quickly respond to new scenarios. Best of all, the employee can choose to do these exercises according to their own schedule or even during off hours, so that the sessions don't cut into a busy working day.
Cyber Workforce Optimization consists of "making sure the right people have the right levels of skills, knowledge and judgment at the right time," said Bec McKeown, director of human science at Immersive Labs and a psychologist who previously worked with the UK's Ministry of Defense. "It's the optimal way of doing things. You're not wasting time, money and energy in giving everyone the same sort of training when they just don't need it."
Why Cyber Workforce Optimization might not be ideal for all organizations or employees
Yet these short, engaging micro-drills might not be appropriate for all your staff. Immersive Labs focuses on the key decision-making personnel who need to prepare for or respond to a crisis, such as the executive team, the IT and SOC staff, software developers and even the communication teams.
Other segments of the workforce may not benefit as much from this method of training. An ad-sales rep or human-resources staffer isn't going to be tasked with major decisions during a cyberattack. It might be better for that person to undergo traditional passive cybersecurity training just to get the basics of proper workplace security hygiene.
"Some people will prefer the traditional training," said Immersive Labs' McKeown. "There's quite a lot of reflection involved in our training, and people don't like doing that necessarily. They'd rather just move on."
The key part of Cyber Workforce Optimization is discerning which members of your staff will benefit most from this next-generation training. For more guidance, see our paper on "The case for cyber workforce optimization."