Living our Mission Blog Series: Hitting a Home Run with Circadence’s Security Management, thanks to TS Reed, Cybersecurity Engineer

Reading Time: 3 minutes

The journey to cybersecurity engineer has been an exciting one for Circadence’s TS Reed. The former baseball pro turned security tech expert found his passion for problem solving at Circadence. After completing an undergraduate degree in criminology at Cal State Northridge, he pursued a master’s degree in mechanical engineering at CSUN and then a master’s in cybersecurity engineering from the University of San Diego.

TS started as an intern at Circadence and was quickly onboarded as a full-time employee for his technical prowess, adaptability, and knowledge of modern security functions and processes. For the past three years at Circadence, TS has monitored the company’s network security, tested the security of its products (including Project Ares) and learned how and what to look for to stay one step ahead of attackers.

“It’s impossible to be bored in this job. Security is always changing: the way people build it, the way people attack it. You have to continuously learn and teach yourself the latest and greatest practices,” said TS.

But cybersecurity management wasn’t always in the stars for TS. Prior to joining Circadence, TS coached division one baseball at the University of San Diego and was also an assistant coach and recruiting coordinator at the University of Arkansas Fort Smith. A Cal State Northridge Alum, TS was a well-respected baseball player, hitting home runs in the athletic industry (named a CIF California Player of the Year and a Division 1 All-American at CSUN) with the fourth highest batting average at the 2008 Big West Conference. After college he went on to play one year of professional baseball in St. Louis for the Gateway Grizzlies of the Frontier League.

He traded in his baseball cleats for cybersecurity after discovering the inherent problem-solving nature of the field—a part of the job that greatly intrigued TS to dive into a completely new field of study and long-term career trajectory.

For TS, one of the best ways to “win the game” in the security field is to think like a hacker. By understanding what vulnerabilities they look for to exploit and why, security engineers like TS, know how to harden systems and deploy preventative measures beforehand. And while open forum online communities help TS and other security professionals “understand the mind of a hacker” there is always a level of uncertainty he has to deal with.

“Hackers are attacking constantly and finding new ways to infiltrate networks,” said TS. “We have to stay as close to them as possible,” he adds.

While TS’ professional journey has been unconventional at best, he has noticed many lessons from his baseball career that have translated into the cyber arena.

“Teamwork is huge; I learned early on in baseball that every teammate receives things differently. You have to take the time and care enough to figure out how your team members communicate. [In cyber security], everyone communicates differently too. Both in receiving communication and externally communicating. Step one is always getting a feel for that in order to be as effective as possible when communicating with teammates/team members.”

Likewise, TS learned that in baseball, a player’s own skill level and performance weren’t the sole indicator of how “good” a teammate was. The greatest measure, he says, is how effective one is at making others better and serving them.

“To be good at and handle your job is one thing but whenever you have a team involved, the greatest measure of a player or cyber employee is the capability to lift up those around them and make them better,” he advises. Empowering teammates, teaching them, and learning from them is the approach he lives by at Circadence.

We are proud to have TS as part of the Circadence family and know while he’s not hitting balls out of the park at the stadium, he’s hitting home runs with Circadence, hardening its cyber security posture.

Photo by Joey Kyber on Unsplash

Living our Mission Blog Series: Supporting Cyber Red Teams, with Consultations and Pen Testing from Josiah Bryan

Reading Time: 2 minutes

While Circadence is proud to be a pioneer that has developed innovative cyber learning products to strengthen readiness at all levels of business, there’s one professional area at Circadence that doesn’t tend to get the limelight, until now. Meet Josiah Bryan, principle Security Architect for Circadence’s security consultation services, aptly called Advanced Red Team Intrusion Capabilities (ARTIC for short). For almost two years, Josiah has provided support and services to Red Teams around the country, those leading-edge professionals who test and challenge the security readiness of a system by assuming adversarial roles and hacker points of view.

Josiah enjoys doing penetration testing and exploit development with Red Teams at a variety of companies to help them understand what a bad actor might try to do to compromise their security systems.

But Josiah wasn’t always on the offensive side of cyber security in his professional career. He was first introduced to the “blue team,” or the defensive side of cyber, when he began participating in Capture the Flag competitions across the U.S. during his time as a computer science student at Charleston Southern University. Those competitions also exposed him to the offensive side of security training and he never looked back.

After graduation, he took a job in San Diego with the U.S. Navy as a DoD civilian, finding vulnerabilities in critical infrastructure, which were then reported up to the Department of Homeland Security.

“Learning how the DoD operates internally and how they conduct penetration tests/security evaluations was an extremely valuable skill and great background for my current job at Circadence,” he says.

In addition to consulting with Red Teams, Josiah uses a variety of tools to show and tell companies about existing vulnerabilities. For example, badge scanners that let people gain access to a facility or room are quite common devices for Josiah and his team to test for customers. He might also use USB implants that provide full access to workstations and wireless signal identification devices.

“We show people how easy it is to get credentials off of someone’s badge and gain access to an area,” he says. “They never believe we will find vulnerabilities but when we do, they realize how much they need to do to improve their cyber readiness,” he adds.

But, ultimately Josiah’s favorite part of his job is the level of research and analysis he gets to do. “We are a research team, first,” he says. “We are pushing the boundaries in cybersecurity and discovering new ways that bad actors might take advantage of companies, before they actually do.  It’s a great feeling to help companies and Red Teams see the ‘light’ before the hackers get them,” he adds.

Whether circumventing a security measure or patching a system, Josiah’s contributions to the field are significant.

“Finding new ways to help people understand the importance of strong cyber hygiene is fulfilling,” he says. “We can’t stress it enough in today’s culture where attacks are so dynamic and hackers are always looking for ways to take advantage of companies.”

To stay on the cutting edge of Red Team support, Josiah follows Circadence’s philosophy to persistently learn new ways to protect people and companies. “Any company is only as good as the least trained person,” Josiah says.

 

How to stay safe from social engineering attacks

Reading Time: 4 minutes

What is social engineering and why does it matter? In the context of information security, it is a hacking tactic designed to psychologically manipulate or “trick” a person into performing actions or divulging confidential information. Social engineering threats are a wildly popular way for cybercriminals to get access to money or damage a company’s reputation. In fact, the social engineering statistics in the past year are daunting. In 2018, more than 17% of workers fell victim to social engineering attacks, according to InfoSecurity Magazine. This is problematic, as you can imagine because it disempowers people who place their trust in digital communications and leaves them feeling scared to engage with anyone online (especially if they’ve fallen victim to an attack already). Likewise, the propensity of workers who fall for these attacks tells cyber professionals that more needs to be done to: 1) educate people on what social engineering is, 2) how it manifests and impacts your personal life, and 3) the effects it can have on companies whose workers succumb to the attacks. In this article, we will discuss ways to recognize social engineering in your digital life and how to increase your cyber security awareness for these types of attacks using…games (yes, games!). More to come on that later.

Types of Social Engineering Attacks and How to Spot Them

Social engineering techniques come in many forms, but one of the most common ways to manipulate a person is via phishing email or a phone call. A malicious hacker could pose as one of your email contacts and send you a message to get personal information. Or an email aligning to your interests that seemingly comes from a store you frequent could allow a hacker access to your bank account. Perhaps your friend reaches out in need of help for an issue they are experiencing. One click in that email and a cybercriminal has instant access to all kinds of data about you from the operating system you use, even your social security number.

 

Some warning signs to think about if you believe you’re being attacked:

  • A hacker won’t give you their contact information, name, phone, or email address; they tend to pose as “someone else” familiar to you; if you’re at all suspicious and ask for their real name and info, they won’t divulge.
  • Hackers might come across with a sense of urgency and you need to act quickly to prevent something bad from occurring.
  • They might intimidate you to convince you to take action by informing you of an “issue” using technical words they know you won’t understand, yet seem legitimate.
  • They could misspell words in their communications or ask odd questions to get you to reveal more information.
  • Effective social engineers will try to build trust with their victim first by associating themselves with a reputable company or simply starting a casual conversation about a topic of your interest.

“My mom just became a victim of a social engineering hack recently…A person hacked into her email and she received a notice her firewalls were damaged and that she needed to pay money to have them restored before her data was compromised…a few hours later she found herself on the phone with a supposed representative of a reputable tech company giving out her credit card info to remedy the situation. It was incredibly disheartening to hear and I felt terrible that she experienced that. Fortunately, she was able to get her money back but this wasn’t the first time she fell victim to such a scam.” ~ a Circadence employee

This is just one example of what can happen when someone is unaware of social engineering tactics or just doesn’t know how to recognize them.

How to Protect Yourself from Social Engineering Attacks

Understanding defensive strategies will help anyone looking to “up the ante” on their social engineering detection prowess. Some strategies include:

  • Know what “bad” emails look like/email sender email address
  • Identify suspicious website URLs
  • Set spam filters to “high”
  • Update your passwords regularly (and don’t just change one character to make it “new”)

These are just a few options but honestly, one should not simply “pick and choose” from the above options in a silo. Those looking to protect themselves should adopt what SANS calls a “multi-layered” defense against social engineering, where if a hacker penetrates one level of protection, he/she can’t get into the next layer without being “found out.” And when all else fails, trust your gut! If something seems strange, out of the blue, or too good to be true, it probably is.

Persistent Cybercrime Requires Persistent Cyber Learning and Training – with Games!

Security awareness and defensive strategies are more than just telling people to update their software when prompted. It requires a deeper analysis and understanding of what, when, and how cybercriminals exploit vulnerabilities (and warning signs you’re being attacked).

Further, as social engineering attacks infiltrate and impact businesses, employees need to know what confidential information is, how to identify sensitive data, and how they as individuals can safeguard it simply by being proactive and cautious in their everyday online behavior. Nobody is immune to a social engineering attack and malicious hackers are working new vulnerable people every day to make progress and get what they want. But don’t let the “doom and gloom” of persistent cybercrime get you down…get empowered and fight back!

To begin a journey toward social engineering self-protection, we recommend looking into tools that help you learn cyber security basics and foundations. Our inCyt tool can help with that. It is a gamified security awareness training solution that doesn’t require any prerequisite knowledge of cyber security to play.

Accessible via a browser, inCyt invites players to complete in epic cyber-themed battles to increase the Cyber IQ of all players. Players gather intel and then use gamified hack processes like phishing and malware to take out their opponent. It disrupts the standard, stale teaching options currently available by giving people instant, approachable access to learning cyber in a fun way. Non-technical employees too, can play and learn real-world concepts like social engineering.

Social engineering is a very real threat and one that isn’t going away any time soon. Once companies realize that every cyber vulnerability starts with its people knowing and understanding how to protect themselves, the more companies will be on the defensive against these types of attacks. A willingness to empower oneself with persistent, gamified training and a multi-layered defensive approach is key to stopping social engineering hackers in their tracks. If more people adopt these strategies, social engineering will become much more difficult to deploy.

Photo by Austin Distel on Unsplash
Photo by Tom Roberts on Unsplash

Exclaim “Cyber for All!” During National Cyber Security Awareness Month

Reading Time: 5 minutes

Happy National Cyber Security Awareness Month! We all know that cyber security isn’t just a month-long focus area for businesses and individuals—but this month, we are grateful for the collaborative effort between government entity Department of Homeland Security and the National Cyber Security Alliance that together, place a lens on cyber (as an industry, strategy, and operation). It reminds us that the industry is persistent and impacts us all, and is not siloed into a single time span, or targeted to a specific industry or person. We know this because of data cyberattacks on businesses occurring every day, the continual discussion about the cyber talent “gap” and lack of holistically-trained workforce, and because of the ineffectiveness of passive-learning training models many professionals are exposed to today. Nevertheless, as the world draws its attention around cyber in October and the industry evolves to better serve today’s professionals and businesses, we wanted to communicate the critical idea that cyber really IS for all as we strive to make cyber awareness learning accessible, intentional, and effective.

Making cyber learning accessible

We believe there are three ways to make cyber learning more accessible: providing a comprehensive learning curriculum, making it available via a browser, and using gamification as a tool for ingesting and retaining new information.

Before we dive into each of those areas, let’s get more context about the concept of cyber learning itself. For a long time, cyber security has been thought of as a technical career and while there is a great deal of technical prowess that goes into the day-to-day tasks of a cyber pro, the idea of cyber security being an “anyone can do it” profession hasn’t popularized – and rightly so.

With roots in the military and government (cyber range training), learning cyber security has been a structured, systematic, and data-driven process typically executed in a passive learning setting where students watch or listen and then take a test at the end of the lesson. There is minimal opportunity for hands-on practice in safe and secure environments, making cyber security learning and awareness of its purpose, value, and function a little more ethereal than we in the industry would like.

Comprehensive Learning Curriculum

One way to ensure “cyber for all” (our rally cry this year), is to make cyber training more readily available to reach today’s learner (the next generation of cyber pros) while injecting a touch of personal accountability toward the concept. This should include a learning curriculum that addresses:

–      General awareness topics: These are topics that are broadly applicable to all employees of an organization and ones they should know regardless of IT level or expertise. Cyber security awareness topics at this level might include phishing, malware, social engineering, identity theft, removable media security, insider threats, social media vulnerabilities, etc.

–      Industry-focused topics: relevant cyber security issues segmented by industry where security is a priority, especially highly regulated sectors like healthcare, government and industry, finance, election security, manufacturing, electricity, etc.

–      Executive level topics: more functional/business topic areas where corporate leaders and other high-risk personnel and privilege users are impacted. Cyber security awareness topics at this level might include support/maintenance, consulting, managed services, legislation, risk assessment, etc.

By offering pathways upon which interested cyber enthusiasts or seasoned pros can “walk along,” it gives learners an idea as to how to develop their knowledge and skills. Further, cyber learning and awareness becomes more accessible because there is a route—or cyber learning journey—for everyone to choose.

Browser-Based Accessibility

The other component to ensure learning cyber awareness is accessible is by making the act of learning available to virtually anyone—via a browser. Online trainings today are quite popular for cyber enthusiasts and pros in training who want to hone their skills—and the idea of being able to access a cyber security course or activity online without having to leave the office or home is not only convenient but preferred these days. Some companies (like ours) are taking cyber training a step further by placing it in the cloud (Microsoft Azure) so learning can be scalable, more collaborative, and more customizable to learner needs.

Gamified Cyber Learning

Finally, cyber awareness learning can be attained by making learning fun. We do this with elements of gamification, which engage and inspire learners to train in environments that are not only realistic but also supported by a compelling narrative that invites players to progress through activities. Components like leaderboards, points, badges, and team-based collaboration allow learners to build a sense of “healthy competition” while learning and building skills and cyber competencies. Circadence offers learners of all skill levels various game-based activities from foundational concept learning in games like RegExile to application and analysis in Project Ares’ battle rooms and missions.

One student who played our RegExile cyber learning game in his cyber security course at CU Boulder said:

“I played the RegExile game today and I have to say I have hated regex till now, but when I learned it through the game, I actually liked it. It was really fun. I liked the concept of how a false sense of impending danger from the robots can make you think better and learn more. I was typing out my regex and actually thinking quite hard on how it could work and what I could do to make sure it was right as I did not want to lose the shield. I learned more through this game on regex than what I had in my undergrad class.” ~ Student at CU Boulder Cyber Security Course

Make Cyber Learning Intentional

Cyber learning has to be intentional. In order for students and existing cyber pros to get the most out of their training, they need a curriculum path that is not only diverse (based on skill needs), but also one that addresses all phases of learning: knowledge, comprehension, application/analysis, and synthesis/evaluation.

Can we insert an image that illustrates the “learning phases” of knowledge, comprehension, application/analysis, and synthesis/evaluation?

After understanding what cyber concepts are and how they impact our professional and personal lives (knowledge and comprehension), a learner needs to be able to build their cyber literacy and knowledge “essentials” by developing baseline cyber skills (application/analysis). Then, they can apply those skills in objective-based activities that synthesize concepts (evaluation).

“I personally found Project Ares to be a great learning experience and thought the mission environment was seamless.” ~ Chris N. UNCW Cyber Security Operations Club

Making Cyber Learning Effective

For IT Security Specialists and professionals, cyber learners can advance their competencies via recurring role-based training combined with continuing education and real-world experience trainings. Cyber learning needs to be rooted in best practice, industry-defined frameworks and there’s no better model to follow than the framework set forth by the NIST/NICE organization.

By aligning learning curriculum against work roles, learning concepts and skills inherently becomes more effective because it is RELEVANT for people. They learn concepts, how to apply them and can draw connections to how those concepts apply to their own jobs or jobs they aspire to. Further, the learning permeates into individual’s personal lives as well, enhancing cybersecurity at home.

We have built-in five NIST/NICE work roles that are present in Project Ares for trainees to work toward including:

–      Cyber Defense Infrastructure Support Specialist

–      Information Systems Security Manager

–      Threat Warning Analyst

–      Systems Security Analyst

–      Cyber Defense Analyst

Intentional cyber learning following this framework focuses on a particular technical topic, such as Incident and Event Management, Identification of Privilege Escalation Techniques, or Elections and Voting Security. This type of work role specification helps make learning cyber a reality.

Summing it up

While there’s no switch to turn on every part of this “cyber for all” plan, we hope it helps shed light on ways security leaders and HR directors can begin to cultivate an inclusive cyber culture in their own workplace, among their own teams. As we celebrate National Cyber Security Awareness Month (NCSAM 2019), it’s important for us to resurface conversations around what it means to actually be aware and how we can manifest that meaning into something that really makes an impact on business’ security posture. We hope this post is one inspiration to start initiating those conversations around shared responsibility to ensure all Americans stay safe.

 

Photo by Joel Muniz on Unsplash

Photo by Mimi Thian on Unsplash

Why Alternatives to Traditional Cyber Training Are Needed Immediately

Reading Time: 4 minutes

Are you looking for a more effective, cost-conscious cyber training tool that actually teaches competencies and cyber skills? We’ve been there. Let us share our perspective on the top cyber training alternatives to complement or supplement your organization’s current training efforts.

Cyber training has evolved over the years but not at pace with the rapid persistence of cybercrime. Cyberattacks impact businesses of all sizes and it’s only a matter of time before your business is next in line. Traditional cyber training has been comprised of individuals sitting in a classroom environment, off-site, reading static materials, listening to lectures, and if you’re lucky, performing step-by-step, prescriptive tasks to “upskill” and “learn.” Unfortunately, this model isn’t working anymore. Learners are not retaining concepts and are disengaged from the learning process. This means by the time they make it back to your company to defend your networks, they’ve likely forgotten most of the new concepts that you sent them to learn about in the first place. Read more on the disadvantages of passive cyber training here.

So, what cyber training alternatives are available for building competency and skill among professionals? More importantly, why do you need a better way to train professionals? We hope this blog helps answer these questions.

Cyber Range Training

Cyber ranges provide trainees with simulated (highly scalable, small number of servers) or emulated (high fidelity testing using real computers, OS, and application) environments to practice skills such as defending networks, hardening critical infrastructure (ICS/SCADA) and responding to attacks. They simulate realistic technical settings for professionals to practice network configurations and detect abnormalities and anomalies in computer systems. While simulated ranges are considered more affordable than emulated ranges, several academic papers question whether test results from a simulation reflect a cyber pro’s workplace reality.

Traditional Cyber Security Training

Courses can be taken in a classroom setting from certified instructors (like a SANS course), self-paced over the Internet, or in mentored settings in cities around the world. Several organizations offer online classes too, for professionals looking to hone their skills in their specific work role (e.g. incident response analyst, ethical hacker). Online or in-classroom training environments are almost exclusively built to cater to offensive-type cyber security practices and are highly prescriptive when it comes to the learning and the process for submitting “answers”/ scoring.

However, as cyber security proves to be largely a “learn by doing” skillset, where outside-of-the-box thinking, real-world, high fidelity virtual environments, and on-going training are crucially important, attendees of traditional course trainings are often left searching for more cross-disciplined opportunities to hone their craft over the long term. Nevertheless, online trainings prove a good first step for professionals who want foundational learnings from which they can build upon with more sophisticated tools and technologies.

Gamified, Cyber Range, Cloud-Based Training

It wouldn’t be our blog if we didn’t mention Project Ares as a recommended, next generation alternative to traditional cyber training for professionals because it uses gamified backstories to engage learners in activities.  And, it combines the benefits and convenience of online, cyber range training with the power of AI and machine learning to automate and augment trainee’s cyber competencies.

Our goal is to create a learning experience that is engaging, immersive, fun, and challenges trainee thinking in ways most authentic to cyber scenarios they’d experience in their actual jobs.

Project Ares was built with an active-learning approach to teaching, which studies show increase information retention among learners to 75% compared to passive-learning models.

Check out the comparison table below for details on the differences between traditional training models and what Project Ares delivers.

Traditional Training
(classroom and online delivery of lectured based material)
Project Ares
(immersive environment for hands on, experiential learning)
Curriculum Design

  • Instructors are generally experts in their field and exceptional classroom facilitators.
  • Often hired to develop a specific course.
  • It can take up to a year to build a course and it might be used for as long as 5 years, with updates.
  • Instructors are challenged to keep pace with evolving threats and to update course material frequently enough to reflect today’s attack surface in real time.
  • It is taught the same way every time.
Curriculum Design

  • Cyber subject matter experts partner with instructional design specialists to reengineer real-world threat scenarios into immersive, learning-based exercises.
  • An in-game advisor serves as a resource for players to guide them through activities, minimizing the need for physical instructors and subsequent overhead.
  • Project Ares is drawn from real-world threats and attacks, so content is always relevant and updated to meet user’s needs.
Learning Delivery

  • Courses are often concept-specific going deep on a narrow subject. And it can take multiple courses to cover a whole subject area.
  • Students take the whole course or watch the whole video – for example, if a student knows 70%, they sit through that to get to the 30% that is new to them.
  • On Demand materials are available for reference (sometimes for an additional fee) and are helpful for review of complex concepts.   But this does not help student put the concepts into practice.
  • Most courses teach offensive concepts….from the viewpoint that it is easier to teach how to break the network and then assumes that students will figure out how to ‘re-engineer’ defense. This approach can build a deep foundational understanding of concepts but it is not tempered by practical ‘application’ until students are back home facing real defensive challenges.
Learning  Delivery

  • Wherever a user is in his/her cyber security career path, Project Ares meets them at their level and provides a curriculum pathway.
  • From skills to strategy:   Students / Players can use the Project Ares platform to refresh skills, learn new skills, test their capabilities on their own and, most critically, collaborate with teammates to combine techniques and critical thinking to successfully reach the end of a mission.
  • It takes a village to defend a network, sensitive data, executive leaders, finances, and an enterprises reputation:  This approach teaches and enables experience of the many and multiple skills and job roles that come together in the real-world to detect and respond to threats and attacks….
  • Project Ares creates challenging environments that demand the kind of problem solving and strategic thinking necessary to create an effective and evolving defensive posture
  • Project Ares Battle Rooms and Missions present real-world problems that need to be solved, not just answered. It is a higher-level learning approach.

If you want to learn more about Project Ares and how it stacks up to other training options out there, watch our on-demand webinar “Get Gamified: Why Cyber Learning Happens Better With Games” featuring our VP of Global Partnerships, Keenan Skelly.

  You can also contact our experts at info@circadence.com or schedule a demo to see it in action!

Photo by Helloquence on Unsplash

Help Wanted: Combating the Cyber Skills Gap

Reading Time: 4 minutes

Recent news headlines frequently communicate about the massive shortage of cyber skills in the industry so we wanted to dig deeper into this phenomenon to find out why there’s a talent shortage and what can be done about it. Cyberattacks are permeating every commercial and government sector out there yet industry and analyst reports indicate there isn’t a large enough talent pool of defenders to keep pace with evolving threats. When data is compromised and there aren’t enough cyber security staff to secure the front lines, we ALL are at risk of identity theft, monetary losses, reputational damage, fines, and operational disruption. cy

Statistics on the Cyber Skills and Talent Gap

With more than one in four organizations experiencing an advanced persistent threat (APT) attack and when 97 percent of those APT’s are considered a credible threat to national security and economic stability, it’s no wonder the skills shortage is on everyone’s mind.

A report from Frost & Sullivan found that the global cybersecurity workforce will have more than 1.8 million unfilled positions by 2020 (that’s next year!) while some sources report a 3.5 million shortfall by 2021.

It begs several questions:

  • What’s causing the shortage of cybersecurity skills? According to a Deloitte report, the lack of effective training opportunities and risk of attrition may be to blame.
  • Is there really a shortage of talent? Hacker, security evangelist, and cyber security professional Alyssa Miller thinks there is more of a cyber talent disconnect between job seeker’s expectations of what a job entails versus what employer’s demand from a prospective candidate.
  • How do we fill these cyber positions? A study of 2,000 American adults found that nearly 80% of adults never considered cyber security careers. Why? Sheer unawareness. Most had never even heard of specific cyber job roles like a penetration tester and software engineer and others were deterred by their lack of education, interest, and knowledge about how to launch a cyber career.

Strategies to Minimize the Cybersecurity Skills Shortage

Given the pervasive nature of cyber security attacks, businesses can’t afford to wait around for premiere talent to walk through the door. Companies need to take a proactive and non-traditional approach to hiring talent—and, yes, it takes effort.

Miller suggests that recruiters “must learn to engage security professionals through less traditional avenues. The best security recruiters have learned how to connect with the community via social media. They’ve learned how to have meaningful interactions on Twitter and are patient in their approach.”

Whether looking to fill a position in digital forensics or computer programming or network defense or even cyber law, the skills required for those positions can be taught with the right tools. Companies should learn to be flexible with those requirements as many are now filling unopened positions by hiring and then teaching and training professionals on preferred cyber skills and competencies. Recruiters need to adopt a paradigm shift during the talent search and be more comfortable hiring for character and cultural fit first, then, training for skills development.

Fill the talent pipeline

Consider hiring people with different industry backgrounds or skill sets to bring new ideas to the table. Sometimes, getting an “outside” perspective on the challenges firms are facing sheds a new light because they notice nuances and inconsistencies that internal teams, who are in the day-to-day, may not see immediately. Look for passionate candidates with an eagerness to learn.

Companies today are prioritizing skills, knowledge, and willingness to learn over degrees and career fields because they know that some things cannot be taught in a classroom such as: curiosity, passion, problem-solving, and strong ethics.

Look for individuals with real-world experience

If you happen to have candidates in your pipeline that have industry knowledge, ask about their real-world experience. Inquire about the kinds of things they’ve learned in their previous position and get them to share how they remedied attacks. Create a checklist of skills you desire from a candidate that may include identity management, incident response management, system administration, network design and security, and hacking methodologies, to name a few. Learning how they dealt with real situations will reveal a lot about their personality, character, and skill set.

Re-examine job postings

Often a job posting is the only thing compelling a candidate to apply for a position. If the job posting is simply a laundry list of skills requirements and degree preferences, it may deter candidates who have those skills but also seek to work for a company that values innovation, creativity, and strategic vision. Read descriptions carefully to determine if they portray the culture of your organization. If a cultural vibe is lacking, it may be time to inject a sense of corporate personality to attract the right candidates.

Provide continuous professional development opportunities

With advances in technology, professionals need to be on top of the latest trends and tools to succeed in their job. That is why it is vital to re-skill and persistently train cybersecurity professionals so they can prepare for anything that comes their way—and you can retain your top talent. Conferences, webinars and certifications are not for everyone—so it is important to find growth opportunities that employees want to pursue for both their personal as well as their professional benefit.

Create a culture of empowerment for retention

CISOs can set expectations early in the hiring process so candidates understand how their specific role impacts the organization. For example, during the interview process, notify candidates of your expectation that they be “students of the industry” such that they are expected to stay on top of security news and happenings.

Gartner advocates for a “people-centric security” approach where stacks of tools are secondary to the powerful human element of security. Additionally, send out quarterly or bi-monthly roundups of the latest cyber security news and events to keep your team abreast of current affairs. Making it as easy as possible for them to be “students of the industry” increases the likelihood that they will remain current on industry developments and engaged in their role.

Invest in Cyber Training to Cultivate Talent

Executives are demonstrating their support for strong info security programs by increasing hiring budgets, supporting the development of info security operation centers (SOCs) and providing CISOs with the resources they need to build strong teams.

With the right talent, you will have a better chance of successfully defeating attackers, staying aware of current threats, and protecting your team, your company—and your job. These strategies will go a long way in preventing future attacks and preparing staff and systems to respond when things go awry. The cyber security staffing shortage is no longer just a cyber security department issue—it’s a global business risk issue.

 

Living Our Mission: Embracing the Art of Gamification with Hector Robles, Lead Game Designer at Circadence

Reading Time: 4 minutes

If there’s anyone who truly embodies the art of gamification, Hector Robles name just might top that list. As a lead game designer at Circadence, Hector works closely with the company’s content and curriculum departments to take complex cyber concepts and learning paths and artistically weaving them into fun cyber games that make learning desirable.

Hector has more than nine years of professional experience in the game design and cyber security/tech space, but his career wasn’t always rooted in making games for companies. In fact, after graduating from high school, Hector proudly served in the U.S. Army, as a military police officer. It was there he gained an understanding of and appreciation for the importance of security as a whole. Hector saw firsthand how proliferating technology impacted both civilian security and military security operations. After his service, Hector followed his interest and passion for game design by attending the Miami International University of Art and Design and graduating with a degree in game design. Then, he began working with media conglomerates and startup companies as a designer, producer, and artist.

But something was missing. While Hector was accumulating an impressive portfolio of entertainment game design work, he sought something more meaningful—a way to apply his skills in game design to help others. It was then he learned about Circadence and joined the game development team alongside colleagues Kari Sershon, Ronaldo Periera and Jose Velazquez.

Hector has worked on Circadence’s flagship platform Project Ares, specifically the cyber learning games embedded within it. The cyber learning games that Hector has designed will also soon become a part of the CyberBridge Essentials learning hub for wider customer access. Hector’s work can be seen most poignantly in Circadence’s new 2019 game, RegExile, which teaches players how to do regular expression coding work. RegExile helps players learn the syntax of regular expressions so they can efficiently parse through the data in search of evidence of a breach. It is a fast-paced pattern-recognition game that teaches the concepts of regular expression while exercising player’s muscle memory and reaction time. The game challenges players to form the correct expression to select or exclude data while immersing them in a futuristic “save the world” scenario filled with human-destroying robots. Players must recognize patterns in the names and type proper RegEx techniques to eliminate robots before they destroy the colony.

For Hector, designing games like this is fulfilling. “It’s a completely different beast from entertainment game design. It’s meaningful to take complex cyber concepts and turn them into fun, interactive, easily-digestible material for players—whether it’s people just starting out in cyber security or seasoned professionals looking to brush up on skills,” Hector says.

Hector typically approaches new game development by first thinking about how to make a certain concept or task in cyber “fun.” He does a lot of game research to come up with ideas of new game play designs and layouts. The research, which may include playing a game of Dungeons and Dragons to get the cognitive juices flowing, playing an arcade style game to think of narrative storylines and actions, or even breaking out a board game with friends, sparks Hector’s imagination and creativity. Once he has an idea of what kind of game he wants to create to teach the cyber concept that the Circadence Curriculum team has outlined, he develops a one-page pitch for stakeholders that presents his ideas cohesively, including details on game objectives, purpose, and technical specifications. After approval, the fun begins! Hector and his team start prototyping features and components of the game to make the ideas on paper become reality. For RegExile, he planned out the movement of the robots in the game by moving game board pieces around to capture an authentic “in game” feeling for the player.

“I try to always think about what games are out there and how we can make our games truly unique,” says Hector. “We’re constantly thinking about things like accessibility, narrative, and pacing to ensure our games aren’t just entertaining, but that people are really learning from them,” he adds.

Hector is also working on augmented reality and virtual reality card games where players can learn cyber security concepts in industry-specific settings like oil rigs and power plants to further engage one’s understanding of different cyber threats and defense tactics in the cyber kill chain. Users will eventually be able to use physical playing cards to learn things like ports and protocols too. Stay tuned for more on that!

While some may view Hector’s work as all fun and games, it does have a meaningful component that many end-users don’t think about at first. When someone logs onto a game, they are presented with audio/visual and text-based cues to inspire their behavior or ignite an action. Those cues are what allow a player to understand how to engage and act in a game setting, so they are not confused as to what to do or how to do something. Hector’s work takes the guessing out of game play for Circadence’s products. Players who engage with a cyber learning game like RegExile know immediately how to play the game and what the objective is without having to jump through hurdles or be confused at where to start. Thank Hector and his team for that!

“When they get to the platform, they know what to do, the basics of the tool, and more of the narrative and understanding of how they’ll engage with it,” said Hector. “It’s the components we build into the game that allow them to feel empowered when they hit “play” to start,” he adds.

It’s Hector’s team’s expertise behind the coding work, gamification elements, and user interface that comes together to create the best user experience for the player. The art of gamification not only engages and entertains, but it inspires, teaches, and instills cyber knowledge in the minds of players who want to grow in cyber competency and skill.

“Seeing someone’s face light up when they play our games brings a smile to my face,” says Hector. “At first they’re hesitant but then they start playing and there is a moment of clarity that washes over their face that makes the time and energy put into our games all worth it.”

Hector believes the best way to learn is by playing games. That’s what ‘living our mission’ at Circadence is all about. The power of games can cement cyber concepts and we look forward to seeing what Hector and his team whip up next to keep professionals and first-time cyber learners coming back for more knowledge and skill building.