Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Training & Awareness

Creating Cyber Resilience Through Training

Organizations Must Find New Ways to Acquire the Expertise They Need to Protect Themselves

Organizations Must Find New Ways to Acquire the Expertise They Need to Protect Themselves

Everyone is familiar with the three legs of cybersecurity stool: people, processes and technology. But most companies typically invest in just one area – technology. However, this primary focus on technology, at the expense of training staff and establishing clearly defined processes and procedures, has largely proven ineffective as cyber incidents continue to increase.

Understanding Cyber Security Effectiveness

Boards wants to know, the CEO wants to know, the compliance team wants to know, and you want to know – is the security team capable of responding to a cyberattack that can result in a massive data breach or shut down business operations. This question is typically answered in the days and weeks following an attack. 

In the worst case scenario, revenue and customers are lost, fines are levied, and careers ended. By focusing on continuous training, assessments, and attack simulations, CISOs and security managers can gain a clearer understanding of their security organization’s strengths and weaknesses – and improve their shortcomings. Armed with this knowledge, CISOs can provide an accurate assessment of their team’s skills and a path to improvement for executives, board members, and compliance teams, building confidence across the organization.

Addressing Staffing Shortages

Given the shortage of experienced cybersecurity professionals, hiring staff is extremely difficult and competitive, and is not an option for some organizations. Nevertheless, CISOs must still find a way to protect their organizations from security threats. One way to address staffing and skills shortages is to build a flexible team through roles based cross-training. Following a military developed model where each member of a team is trained on and can do the jobs of another member, CISOs can identify proficient cyber-pros in their ranks and cross-train them in other security areas. 

Cross-training decisions can be based on weaknesses, process models, role timing, and technology used. The goal is to optimize the roles covered by each team member at each stage in the process, so no one is left without a function to perform at any time during an incident. 

Another way for CISOs to manage skills gaps on their team is by identifying non security staff who have the proficiency to move into a cybersecurity role. Since IT positions are typically easier to fill than cybersecurity roles, assessing the capabilities of non-security employees to identify those most likely to succeed and providing them with security training is a very effective way to add new talent. This model has the added benefit of reducing the costs associated with hiring new employees and can keep salaries in check.

Improving Hiring Processes

When recruiting external resources is the only option, organizations should look for ways to improve the hiring process. With the current skills shortage in cybersecurity, most available candidates are likely to be recent graduates or individuals that have completed a basic security certification program. Both types of candidates are likely to lack the operational skills required to effectively perform the functions of the role for which they are hired. Some may even lack the aptitude to be trained for a cybersecurity position.  

For this reason, CISOs can no longer rely on a candidate’s resume, training certificates, or personal and professional references when qualifying them. What is needed is a way to assess a candidate’s cyber defense skills from a tactical perspective. One way to achieve this is using simulated hands-on tests as part of the evaluation process. Based on the results of these benchmark assessments, organizations can project the on-the-job performance of applicants and select the most qualified candidate based on their needs.

Building Cyber-Team Collaboration

A targeted cyberattack is typically deceptive, sophisticated and multistage. Even the most savvy security organizations with advanced security tools will often have difficulty defending against these. A study by the U.S. Army Research Laboratory’s Cyber and Networked Systems Branch3 found that without active collaboration and leadership, even a large security team will fail. The study concluded that human collaboration and leadership of cybersecurity teams are essential when responding during a realistic cyber-attack. 

Since most training programs emphasize individual cybersecurity knowledge, this lack of focus on team collaboration places even the most sophisticated security teams at a disadvantage against well-organized attackers. Performing simulated Purple Team events on a routine basis provides a way to measure the effectiveness of an entire team, and individual members. Assessing the performance of a team of defenders as they work together to defeat a common adversary will reveal much more than just coding or cyber defense skills. These exercises will also showcase soft skills like communication, teamwork, improvisation, and leadership, all of which the Army study found essential to real-world cyber defense success.

Faced with a shortage of skilled cyber security professionals, and an even smaller pool of “experienced” security pros, organizations must find new ways to acquire the expertise they need to protect themselves from increasing sophisticated and well funded attackers. Training, using new interactive techniques that can assess and improve real-world skills and decision making while providing objective reporting around skills can help build cyber resilience in ways that no defensive/perimeter security tool ever will.   

RelatedCybersecurity Workforce Study Needs to be Taken with a Pinch of Salt

Written By

Gordon Lawson is CEO of Conceal, a company that uses Zero Trust isolation technology to defend against sophisticated cyber threats, malware and ransomware at the edge. Previously, he served as president at RangeForce Inc. Gordon has nearly two decades of experience in the security sector with a focus on SaaS optimization and global enterprise business development from global companies including Reversing Labs, Cofense (formerly PhishMe) and Pictometry. As a naval officer, Gordon conducted operational deployments to the Arabian Gulf and Horn of Africa, as well as assignments with the Defense Intelligence Agency, US Marine Corps, and Special Operations Command. He is a graduate of the US Naval Academy and holds an MBA from George Washington University.

Click to comment

Expert Insights

Related Content

Management & Strategy

Tips for making a presentation that will help improve the state of security programs and reflect favorably on the presenters and their companies

Application Security

Hack The Box Raises $55 Million in Funding Round Led by Carlyle

Application Security

The infamous North Korean Lazarus hacking group is the prime suspect in the $100 million hack of Harmony’s Horizon Bridge, according to new data...

Management & Strategy

Neurodivergence, by its name, implies a different way of thinking. The question we wish to examine is whether the inclusion of this neurodiversity can...

Black Hat

LAS VEGAS – The security industry makes its annual pilgrimage to the hot Sonoran desert this week for skills training, hacking demos, research presentations...

M&A Tracker

Security awareness training company KnowBe4 will go private after being acquired by Vista Equity Partners for roughly $4.6 billion in cash.KnowBe4 first announced receiving...

Nation-State

Faced with the daily barrage of reports on new security threats, it is important to keep in mind that while some are potentially disastrous,...

Cybersecurity Funding

Human risk management startup OutThink today announced that it has raised $10 million in seed funding, bringing the total investment in the company to...