Second in 3-part series based on the CyberRisk Alliance/Immersive Labs eBook “Achieving Cyber Resiliency Through Workforce Optimization.”
Traditional cybersecurity training has many shortfalls, and next-generation exercises can make up the difference with intense, frequent sessions presented to your organization's key decision-making employees.
Still, some staffers might benefit best from the older, passive cybersecurity training. Here's how to determine which kind of training is best suited for certain roles.
How next-generation training works
You may have heard of next-generation cybersecurity training methods, which Immersive Labs, one of its main practitioners, calls "cyber workforce optimization." Instead of long, passive, yearly training sessions, these next-gen exercises are short, interactive and frequent — as often as every eight weeks.
The idea is not to teach employees about known threat scenarios, but rather to prepare them mentally to quickly respond to entirely new threats. These exercises, or "micro-drills" as Immersive Labs calls them, teach by doing instead of by showing.
The exercises are tailored to an employee's skill set, knowledge, previous training and responsibilities. A member of the communications teams may participate in crisis-response exercises; a software developer might learn how to quickly implement emergency security patches, as had to be done in response to the recent Log4Shell vulnerabilities from December 2021.
Keeping the sessions frequent keeps the employee's skill set sharp, even if subsequent sessions cover different topics. The most important thing is to develop what Immersive Labs calls "cognitive agility," or the ability to quickly apply developed skills to an entirely new threat scenario.
However, Immersive Labs' program focuses on the key decision-making employees in an organization, not the entire staff. It prepares those who will be in the front lines of incident response — the executive team, the IT staff, the SOC personnel and even the communications team.
"It is not dissimilar to the way organizations patch technology," said Immersive Labs founder James Hadley in a piece recently posted online, "but instead of software being updated, it is people."
Who benefits most from next-generation training?
fake orders from the boss and other business email compromise (BEC) attacks. Carl needs to be trained to spot such attacks and to alert the proper personnel when he does see one.
Yet Carl is not a key decision-maker. He will not be called upon to manage a crisis response in case of an active attack. During a security incident, he and his colleagues in Accounts Payable may be told to simply shut off their computers and take the rest of the day off. Paying bills can wait a day or two while the crisis is sorted out.
Carl may not benefit from next-generation security training. It might be best to train him and his Accounts Payable colleagues the old-fashioned way, with passive instruction coupled with quizzes and short form exercises to learn how to respond to common threats against their group.
Now let's imagine Sheila, who is part of her company's SOC team. She is not a manager, but she is a key player in how the company responds to active threats. Sheila will absolutely benefit from next-generation training of the sort offered by Immersive Labs. She and the rest of her team will need to keep their crisis-response skills, and their cognitive agility, as sharp as possible in order to properly react to unforeseen attacks.
The bottom line is that next-generation security training is best implemented with those parts of a company's staff that are the crucial risk points in preparing for and responding to cyber threats — the first responders, if you will. Other parts of the workforce that take a more passive role during incident response may be best served by previous-generation passive training.
Next-generation workforce optimization is "making sure the right people have the right levels of skills, knowledge and judgment at the right time," said Immersive Labs' Director of Human Science Bec McKeown. "You're not wasting time, money and energy in giving everyone the same sort of training when they just don't need it."