Organizations Must Find New Ways to Acquire the Expertise They Need to Protect Themselves
Everyone is familiar with the three legs of cybersecurity stool: people, processes and technology. But most companies typically invest in just one area – technology. However, this primary focus on technology, at the expense of training staff and establishing clearly defined processes and procedures, has largely proven ineffective as cyber incidents continue to increase.
Understanding Cyber Security Effectiveness
Boards wants to know, the CEO wants to know, the compliance team wants to know, and you want to know – is the security team capable of responding to a cyberattack that can result in a massive data breach or shut down business operations. This question is typically answered in the days and weeks following an attack.
In the worst case scenario, revenue and customers are lost, fines are levied, and careers ended. By focusing on continuous training, assessments, and attack simulations, CISOs and security managers can gain a clearer understanding of their security organization’s strengths and weaknesses – and improve their shortcomings. Armed with this knowledge, CISOs can provide an accurate assessment of their team’s skills and a path to improvement for executives, board members, and compliance teams, building confidence across the organization.
Addressing Staffing Shortages
Given the shortage of experienced cybersecurity professionals, hiring staff is extremely difficult and competitive, and is not an option for some organizations. Nevertheless, CISOs must still find a way to protect their organizations from security threats. One way to address staffing and skills shortages is to build a flexible team through roles based cross-training. Following a military developed model where each member of a team is trained on and can do the jobs of another member, CISOs can identify proficient cyber-pros in their ranks and cross-train them in other security areas.
Cross-training decisions can be based on weaknesses, process models, role timing, and technology used. The goal is to optimize the roles covered by each team member at each stage in the process, so no one is left without a function to perform at any time during an incident.
Another way for CISOs to manage skills gaps on their team is by identifying non security staff who have the proficiency to move into a cybersecurity role. Since IT positions are typically easier to fill than cybersecurity roles, assessing the capabilities of non-security employees to identify those most likely to succeed and providing them with security training is a very effective way to add new talent. This model has the added benefit of reducing the costs associated with hiring new employees and can keep salaries in check.
Improving Hiring Processes
When recruiting external resources is the only option, organizations should look for ways to improve the hiring process. With the current skills shortage in cybersecurity, most available candidates are likely to be recent graduates or individuals that have completed a basic security certification program. Both types of candidates are likely to lack the operational skills required to effectively perform the functions of the role for which they are hired. Some may even lack the aptitude to be trained for a cybersecurity position.
For this reason, CISOs can no longer rely on a candidate’s resume, training certificates, or personal and professional references when qualifying them. What is needed is a way to assess a candidate’s cyber defense skills from a tactical perspective. One way to achieve this is using simulated hands-on tests as part of the evaluation process. Based on the results of these benchmark assessments, organizations can project the on-the-job performance of applicants and select the most qualified candidate based on their needs.
Building Cyber-Team Collaboration
A targeted cyberattack is typically deceptive, sophisticated and multistage. Even the most savvy security organizations with advanced security tools will often have difficulty defending against these. A study by the U.S. Army Research Laboratory’s Cyber and Networked Systems Branch3 found that without active collaboration and leadership, even a large security team will fail. The study concluded that human collaboration and leadership of cybersecurity teams are essential when responding during a realistic cyber-attack.
Since most training programs emphasize individual cybersecurity knowledge, this lack of focus on team collaboration places even the most sophisticated security teams at a disadvantage against well-organized attackers. Performing simulated Purple Team events on a routine basis provides a way to measure the effectiveness of an entire team, and individual members. Assessing the performance of a team of defenders as they work together to defeat a common adversary will reveal much more than just coding or cyber defense skills. These exercises will also showcase soft skills like communication, teamwork, improvisation, and leadership, all of which the Army study found essential to real-world cyber defense success.
Faced with a shortage of skilled cyber security professionals, and an even smaller pool of “experienced” security pros, organizations must find new ways to acquire the expertise they need to protect themselves from increasing sophisticated and well funded attackers. Training, using new interactive techniques that can assess and improve real-world skills and decision making while providing objective reporting around skills can help build cyber resilience in ways that no defensive/perimeter security tool ever will.