A New Perspective: Changing How We Think About Cybersecurity Training

What if someone told you that there was a new way to commute to work in the morning? A way that was more efficient than taking the highways or backroads to avoid traffic – a way that would allow you to save time, headaches and the dangers of driving altogether…you’d be interested, right? Maybe a little skeptical, certainly, but interested. So would we! Changing the way we think about a process or an act does not happen at the flip of a switch. We know that.  However, the speed at which technology advances and new products and services hit the market with attempts to make our daily lives easier, faster, better requires us to be open to new ways of thinking about traditional approaches. In this blog, it’s about changing how we think about “cybersecurity training.”

While we can’t help you teleport to your office or lend you a flying car, the concept behind the “better way to commute” scenario is exactly what we at Circadence are advocating for—A new way to think about cybersecurity training and skills development. Now, we realize that might not be as “cool” as teleportation but hear us out.

When it comes to cybersecurity, we believe wholeheartedly that there is a better way to train cyber professionals on the latest tactics and techniques. Why? Current ways of developing professionals with “one-and-done” trainings in classroom settings aren’t working. How do we know this? Because businesses are still getting hacked every day. In 2018 alone, we saw a 350% increase in ransomware attacks and 250% in spoofing or business email compromise. If lecture-based, classroom setting, PowerPoint-driven training courses were working, we wouldn’t still be reading about breaches in our local and national news. Something new, something different has to be done.

Talk to your teams

People develop, use and control the technologies we have available to us. People are the mechanisms by which we execute certain security methods and procedures. People are the reason there are actual tools to help us stop threats. Talking to your team can help gain perspective on how they are feeling with their current workloads and where they want to improve professionally.

Without well-trained individuals who persistently learn new skills and find better (more efficient) ways to operationalize cyber processes and techniques, our businesses and our personal information will be exploited—it’s only a matter of time. While you may be thinking “I send my team to an off-site course and they learn new stuff every time” then great! We invite you to take the next step and talk to those teams about how they’re using what they’ve learned in everyday cyber practice. Sometimes the first step in adopting a new way of thinking about a process (in this case, cyber training), we need to talk to the people who actually experienced it (those with boots on the ground).

Talk to your teams about:

  • their experience on-site at the training
  • what their main takeaways were
  • how they are applying learned concepts to daily tasks
  • where they see gaps or “opportunities for improvement”

Listening to teams and asking objective questions like this can shed light on what’s working in your cyber readiness strategy and what’s not.

Reframe negative thoughts

Things that are new and different are disruptive and that can be scary for leaders looking for concrete ROI to tie to cyber readiness solutions. Forbes suggests reframing negative thoughts as well. In thinking about a new way to do cyber training, instead of “gamified cyber learning will never work,” come from a place of inquiry and curiosity instead. Reflect on what feelings or experiences are causing you to think negatively about a new way of doing something.

Ask objective questions like:

Understanding how something works or could work for your specific situation is the foundation for evaluating the merit of any new process or approach presented to you.

Know Today’s Cyber Training Options

How cyber training has been conducted hasn’t changed much in the past several years. Participation in courses require professionals to travel off-site to facilities/classrooms where they gather together to listen to lectures, view PowerPoint presentations and videos, and maybe engage in some online lab work to “bring concepts to life.”

Travel costs incur, time away from the frontlines occurs, and learners often disengage with material that is passively delivered to them (only 5% of information is retained with passive-learning delivery).

One of the biggest gaps in cyber training is that there isn’t a way to effectively measure cyber competencies in this traditional method. The proof is in the performance when professionals return to their desks and attempt to identify incoming threats and stop them. That absolute, black and white, way of measuring performance is too risky for businesses to stake their reputation and assets on.

Leaders who send their teams to these trainings need to know the following:

1) what new skills cyber teams have acquired

2) how their performance compares to their colleagues

3) what current skills they have improved

4) what cyber activities have they completed to demonstrate improvement/progression

Today’s off-site trainings don’t answer those questions until it’s too late and a threat has taken over a network. Professionals can “see” really quick when a learned skill doesn’t translate to real life.

Embrace the journey of learning

There is a better way to train professionals and it can happen with gamification. But don’t let us be your only source of truth. Talk to people. Listen to their experiences training traditionally and hear firsthand what they want out of a skill building opportunity. Read the latest research on gamification in the corporate workplace. Then, make connections based on the intel you’ve gathered to evaluate if gamification is right for your organization’s professional development approach.

We’ll be here when you’re ready to dive deeper into specific solutions.

Photo by sergio souza on Unsplash

Are you living the CISO nightmare? Five Cyber Concerns Keeping Them Up at Night

What keeps CISOs up at night? Is it the looming concern of a threat? The uncertainty of cloud security? Wondering if you have enough cyber pros on the frontlines to defend and protect? Maybe it’s all three –and more. CISOs are carrying a lot of security responsibility on their shoulders, all while trying to make sure their department is transparent, vigilant, agile, and of course, secure. Focusing on so many areas of digital opportunity, security vulnerability, and defensive improvement make it challenging for CISOs to truly dedicate attention to any specific operational “thing” for too long before they have to move to the next issue. Adapting to this rapid change of pace in the security industry can compromise security strength and lead to growing concerns about whether teams are really prepared for the next threat. We’ve pinpointed the top five cybersecurity concerns of CISOs that are stuff nightmares are made of.

  1. New Threats

This shouldn’t be a surprising concern. Threats are ever-evolving just as technology and digital connectivity is. While CISOs strive to keep their defenses up to snuff with the latest technology, there is always a new weakness waiting to be exploited. The recent government shutdown is a perfect example. It pulled many defenders off the frontlines of security, leaving the door wide open for malicious hackers to walk on it and do unimaginable damage. Also, the 2016 election attracted black hat hackers to manipulate public perception of the race via the use of social media. There’s always a new threat, a new vulnerability to be wary of—and CISOs are looking for ways to ensure their teams are always ready, always prepared, and have the proper support they need from machines and fellow colleagues to keep assets and people safe from harm.

  1. Minimal Agility

While CISOs desire agile operations and solutions, many still follow a linear “waterfall” model with sprinklings of agile adaptations. Developers, in particular, create security solutions tend to follow prescriptive, step-by-step requirements without always considering how security fits into the bigger solution picture. One can imagine the repercussions of such an approach. Failure to close the widening gap between deployment velocity and security implementation can yield weak security resilience. CISOs wonder if their organizations are strong enough to have both deep security testing in place and remediation plans effective enough to remove any semblance of fear, uncertainty, and doubt. DevSecOps spells opportunity for agile security as the approach advocates for the integration of security “checks” during every stage of development from planning to coding to testing and deployment and monitoring.

  1. IoT and Cloud Security

As work migrates out of the traditional office, users are moving off the network and accessing the cloud directly. More applications and servers are moving to the cloud to save money, achieve scale, and obtain greater access. However, massive amounts of sensitive data are now stored in the cloud and the “location” of that data and perceived lack of visibility is concerning for CISOs. According to a Kaspersky Lab study, one in three CISOs ranked cloud computing as a top security risk. Part of a CISO’s job is to apply controls to cloud security but when other responsibilities including managing security solutions take priority, concerns of cloud security often go unalleviated.

  1. Cybersecurity Skills Gap

This is one of the reoccurring nightmares for CISOs: finding and retaining enough security talent to bolster a capable cyber team with the right skills to address attacks. CISOs need a solution to improve the cyber skills at their company but can’t realistically send everyone away to class. Likewise, CISOs may realize they have skills gaps on their teams and assessing their competencies and hiring the right talent is becoming a growing challenge. Further, every CISO is concerned about their company being the next news headline of a cyberattack, so they are constantly worried about their overall cyber readiness and keeping their teams razor sharp. Looking down the barrel of a 300,000+ security job shortfall in the U.S. alone, CISOs fear their teams, whether large or small and mighty, may not have all the skills they need to effectively top new threats.

  1. Rebuilding Trust

It’s been a bad few years for cybersecurity leaders with the growing number of well-publicized hacks of large and small companies. Naturally, such news leaves many consumers and company stakeholders distrusting companies who fall victims to these attacks. What’s worse is trying to rebuild trust after an attack. It’s not a flip of a switch or apologetic PR statement that automatically regains public trust in data security for a company. It can take months or even years for a company to bounce back from a breach of any magnitude. Privacy issues, security and device addiction are all elements that need to be addressed from the beginning in order to take ownership and responsibility of how customer data is stored, used, transferred, and accessed.

There’s often too much momentum in the way of today’s cyber operations to allow for any kind of change but this is something that MUST change. CISOs and their teams live with cybersecurity worries, threats, and “unknown unknowns” that are simply too scary to block out. Frustrated talented resources and limited budgets perpetuate these cybersecurity nightmares. For CISOs to wake up from these horrible scenarios, they need to consider new ways to develop their teams and foster holistic “security is everyone’s responsibility” cultures in order to move forward. New threats, cloud security issues, and skill gap concerns can be quelled with the proper persistent learning solutions in place to empower and augment cyber teams toward a stronger security infrastructure. Likewise, educating the entire staff, not just the IT department on security issues and best practices ensure everyone will have sweeter dreams.

Photo by Sergey Zolkin on Unsplash