Why Continuous Learning is Key to Strengthening Cyber Teams

There is a lot out there about the benefits of continuous learning—or continuous professional development—and what we’re gleaning from research is how POWERFUL the approach can be when applied to cyber team training.

Like most industries, the only constant in cybersecurity is change. It’s not enough for cyber professionals to get technical degrees and certifications to call themselves experts. Ever-evolving cyber threats are a constant thorn in the sides of cyber professionals. They are responsible for finding new ways to stay ahead of the game to swiftly and efficiently defeat threats before they do damage to their company. CISOs in particular have the unrelenting challenge of identifying opportunities to assess, enable, train, and retain their cyber teams, which usually requires time they don’t have. To assist with this challenge, a simple and effective solution is continuous learning.

Continuous learning is exactly what it sounds like: the ability to continually develop skills and knowledge to perform effectively in the workplace. When it comes to cyber teams, they must be “students of the business,” willing to stay current with the latest news and industry developments to grow their understanding and apply any new knowledge gained to their jobs.

Practicing continuous learning within your cybersecurity team delivers the following benefits:

  • Protects your company against evolving cyber threats
  • Enables and empowers cyber teams to perform optimally and efficiently
  • Increases productivity
  • Expands knowledge of current hacker methods and understanding of ways to stop attacks
  • Improves decision making
  • Stimulates cognitive activity, keeping teams actively engaged and passionate about what they do

Due to the widespread skills shortage of cybersecurity professionals (projected 1.8 million open and unfilled positions by 2022), organizations need ways to develop skilled teams to fight ever-evolving cyber threats.

Many leaders are addressing this problem by adopting a continuous learning philosophy that involves consistent training and up-skilling their teams. In fact, 60% of companies use training to build security expertise (Coursera) and 96% of cybersecurity professionals agree that they must keep up with their skills or the organizations they work for will be at a significant disadvantage (ESG Research).

However, preconceived notions of cost and time prevent lots of companies from offering continuous development opportunities for their employees (only 38% of cybersecurity pros say their organizations provide the right level of training and education). Fortunately, there are training platforms out there (such as our very own Project Ares®) that are both cost-conscious and time-saving in the sense that they don’t require time away from the office to train.

We recommend CISOs adopt continuous learning by:

  1. Interviewing and assessing cyber teams to identify skills deficits and, therefore, understand what team members need to learn/develop.
  2. Address large workloads via automation and augmentation so that cyber teams can move away from data handling tasks and into higher-level reasoning and analysis.
  3. Providing ample opportunities for skills development through persistent, gamified training, mentoring, networking, and continuing education.
  4. Developing teams incrementally and continuously via a “day-by-day, month-by-month” mindset – as the job is never done in this field.
  5. Dedicating resources, setting expectations, and aligning corporate culture with the goal of enabling employees to get the learning they need to protect and defend the organization at every stage of their careers.

Continuous learning will up-skill and strengthen your cyber teams so that they are prepared to defend your organization against ever-increasing cyber threats.

Increased understanding, skill and application of offensive and defensive strategies, will greatly improve your organization’s security posture and help keep the hackers at bay.  As technology and connectivity strengthen with each passing day, steps must be taken immediately to adopt a culture that values and emphasizes continuous learning to help avoid your organization being featured as the victim in the next cybersecurity attack headline.

THE ILLUSION OF SECURITY

When you fly, you are subjected to a lot of requirements when passing through a security checkpoint. You have to take off your belt and jacket, remove everything from your pockets, you can’t carry in liquids more than 3 ounces and on and on. When someone, many years ago, devised a way to carry a bomb in their shoes, we were all required to take our shoes off when we passed through security. Of course, there are ways around these things by getting a background check and giving up your fingerprints. However, even after doing all that, you still have to pass through metal detectors and you still can’t bring in liquids. Despite all these restrictions, people still manage to get knives, liquids and other supposedly banned items through security.

When I was in college, many years ago, I had a job doing physical security. What I knew then was that being visible, so everyone was aware there was a security presence who would step in if it was necessary, was often adequate to keep incidents from happening. Does either the Transportation Security Administration (TSA) or my own presence completely keep bad things from happening? Of course not. In security circles, what the TSA does is called security theater. It provides the illusion of security. This sounds derogatory and dismissive. The fact of the matter is that just having that presence keeps random people from doing stupid things on a spur of the moment. Will it keep determined people out? No, but that’s not really the point anyway.

While the illusion of security can often have benefits, there are also a lot of downsides. Where it is especially an issue is when it comes to information security. Too many times when I did security consulting, I was asked by clients to provide a security assessment that was primarily focused on making them compliant with some set of requirements, whether for payment card processing, health care or maybe regulations or laws. Often, the most sensitive or vulnerable parts of the organization were out of scope. There is rarely enough time to do a thorough analysis of an entire network. Getting a report indicating that very little was found can provide some executives and other leadership the belief that they can’t be compromised.

This is where the illusion of security is very dangerous. Anytime someone gives you the sense that you are safe from attack or compromise, you are potentially in an even more dangerous situation. If you get a good “health check” from a security assessment or penetration test, take it for what it is — a snapshot with a very limited view.

These tests are not the only place where you can start to get the illusion that you are safe and protected. Vendors often sell elaborate, end-to-end solutions. Without any intention to impugn such vendors, what you are buying into there is the lens of a single company. Everyone has a bias because everyone sees things differently. Getting multiple views into what’s happening in your organization from the standpoint of information security can be very valuable. However, that’s not to say more is necessarily better. More information can be a good way to blind yourself because it takes so much time and effort to sift through all the data you have acquired.

Perhaps even worse than a single vendor, end-to-end solution, though, is having multiple vendors whose products can’t communicate effectively. You may have the latest and greatest in information security technology but if the different pieces can’t play nicely together, you’re in a far worse position because you believe all the components will “do the right thing.” Modern attacks, though, are complex and far-ranging. You need to be able to correlate events across multiple devices to get a broader sense of an attacker’s actions. If you aren’t getting all the details from all the devices, you’re going to miss when the bad guys get in.

This sounds bleak, for sure. It’s complicated. There aren’t perfect answers to these challenges. The important thing is to bring it back to basics — understand what the problems you have are, what resources you want to protect, and what adversaries you are most concerned about. All of this should be done rationally and realistically and not motivated by fear, uncertainty or doubt. It’s better to make decisions from a position of knowledge and awareness.

Project Ares Featured on Computer America Radio

Recently, our own Keenan Skelly, VP of Global Partnerships and Security Evangelist with Circadence®, was interviewed by Computer America’s Ben Crossman regarding Project Ares®, our flagship training and assessment platform for cybersecurity professionals. Keenan shared how Project Ares works, what it can be used for and the benefits of gamified training.

The top 5 key takeaways from the interview include:

1. The next generation way to cyber train is through gamification, allowing participants to train in a scalable way while improving information retention.

2. A benefit to using the Project Ares platform is having access to its virtual cyber ranges that emulate enterprise networks, putting real-life tools in the hands of trainees, mirroring what they would be doing in the real world. 3. Increased diversity helps program AI technology to better account for “every-person’s AI.” We should consider how programming of these systems is unintentionally informed by our own personal biases.

4. We need to adjust our messaging around what it means to be a woman in cybersecurity and introduce young women and girls to the different roles that exist in the field today to spark interest.

5. It is critical to remain aware of how data privacy legislation will affect offensive and defensive work (not to mention personal cybersecurity practices) so companies remain compliant with industry regulations while staying vigilant against evolving threats.

Keenan concluded that while the negative effects of cyberattacks are in the headlines every day, we have an opportunity to change the paradigm of cybersecurity for the better. Cybersecurity is not just an IT challenge, it’s everyone’s responsibility to stay vigilant in today’s interconnected world.

To listen to the interview in full, visit https://computeramerica.com/2018/06/11/circadence-interview-us-super-computer-bitcoin-value-apple-bans-cryptomining/.

Why We Can’t Keep Ignoring Cyber Fatigue

The ever-present threat of cyber attacks is taking its toll on info sec newcomers and veterans alike who are struggling to keep pace and can lead to cyber fatigue, which is a growing concern among both cyber professionals and consumers.

But just WHAT exactly is it? Most resources associate it with users who “just can’t be bothered with using a new password,” prompting users to make poor decisions with regard to their security efforts. In our experience working with government, academic, and commercial enterprises, cyber fatigue affects cyber professionals who are overworked, under-resourced, and lack proper training—leaving professionals throwing up their hands in fatigue and frustration.

Many organizations do not have the right sized cyber teams to alleviate workloads and effectively combat attacks; cybersecurity employees are fatigued from long hours, lots of pressure, and unreasonable workloads. This leads to dissatisfied employees and high attrition rates. This is a serious problem because organizations that are trusting their data security to a fatigued cyber team is ultimately, a threat to us all.

According to a new KPMG report, “How to Bounce Back from Cyber Fatigue,” a new model is needed to transform cybersecurity strategy from one that is draining and reactive to one that is energized and proactive.

A Five-Pronged Approach to Combat Cyber Fatigue

The KPMG report offers a five-pronged approach for organizations to combat the symptoms of cyber fatigue:

  • Make measured investments in cyber capabilities based on risk: Quantify the risk by understanding its impact and effect on overall business objectives. How will a threat actor interrupt the achievement of a core business goal? Then look at the risk in terms of monetary cost to the company compared to likelihood of the risk occurring based on current circumstances.
  • Regularly measure the effectiveness of your info security investments: Info security costs include the expected physical hardware and software costs in addition to more intangible elements like supply chain services, training, etc. Listing out all current allocations of resources and spending will allow info sec pros to compare the cost of cybersecurity to their overall risk tolerance and make adjustments in investments to best meet the organization’s needs.
  • Develop/align the right cyber risk management model: Communicate on an enterprise-wide level the significance of a “protect data first” mentality across the organization and set expectations that breaches are not an “if” but “when” occurrence. Ensure all stakeholders understand what is needed to manage today’s risk and how the cyber team is preparing to protect and defend the company.
  • Continually update your model to reflect emerging threats: Continued vigilance is key to managing cyber threats. They’re a moving target and companies need systems or platforms to help prepare cyber teams to combat the latest attacks. Immersive training platforms like our own Project Ares® can help teams and leaders make continued investments in their skills development to keep pace with evolving cyber threats.
  • Build and promote a risk-aligned security organization: Cybersecurity isn’t just the responsibility of the info sec department or the CISO. It’s an enterprise-wide responsibility. It needs to be treated as a strategic priority with a top-down focus. A cybersecurity readiness program that includes a skill assessment and skills development component will help keep cyber teams prepared to manage the latest cyber threats and attacks.

Instead of a “spend more, more, more” mentality, organizations would benefit from taking these approaches and starting collaborative, C-suite involved conversations that advance them toward a culture of cyber awareness and proactivity.

Cyber threats are only getting more sophisticated and intelligent and cyber teams need to do the same in their cyber workforce preparedness. By maximizing info security investments and protecting the firm’s assets with robust staff training and skills development, CISOs can sleep a little easier at night—and more readily tackle tomorrow’s cyber threats.

Circadence ranks in top 10 cybersecurity training firms by Black Book Market Research

Black Book Market Research, the parent group for Black Book Rankings, recently ranked Circadence® among the top 10 cybersecurity training firms for 2018.

Circadence’s premier cybersecurity training platform, Project Ares®, is an immersive, gamified, AI-powered platform designed to help cyber professionals hone their skills and knowledge to defeat evolving cyber threats.

Black Book conducts an annual poll of cybersecurity clients across 17 functional areas of cybersecurity from training and education to blockchain to endpoint solutions. Firms were rated by industry client satisfaction and loyalty scores via independent key performance indicators. A total of 2,464 cybersecurity system users and senior level managers participated in the seven-month crowdsourced survey. Black Book collects ballot results on 18 performance areas of operational excellence to rank vendors by software, systems, products, equipment and outsourced service lines.

Circadence is proud to be recognized within the top 10 list of companies making impressive strides in bettering the cybersecurity industry as a whole. We believe with the right training and continuous learning, enterprise, government, and academic institutions will be better positioned to defeat attacks so that we can all continue to enjoy the benefits of being connected without being compromised. It is this belief that drives our commitment to helping companies combat evolving cyber threats with persistent training and assessment tools customized to our customer’s industry and cybersecurity needs.