Real World Cyber Security Experience: From Learning to Earning

Real world, experiential learning helps students develop knowledge, skills, and abilities that they can take directly from the classroom to the workplace.

This direct connection from learning to earning is important to all students, but none more so than adult learners who have gone back to school, often while continuing to work full-time. Maybe their goal is to grow in their current job role or career. Maybe they are ramping up for a job or career change. Maybe they are exploring new interests. Regardless of motivation, after juggling the many demands of working while going to school, most adult learners expect to graduate with skills that they can immediately apply in the workforce or other direct activity.

To say that the cyber security industry is seeking skilled job candidates is an understatement.  Cybersecurity Ventures predicts that there will be 3.5 million (that’s million) unfilled cybersecurity jobs globally by 2021.   The interactive Cyber Seek website shows over 500,000 U.S. cybersecurity job openings as I write.  With gaps of this magnitude between open jobs and applicants, cyber security is a perfect discipline for educators to focus on and provide experiential learning that students can directly apply outside the classroom.

Capella University, an online university headquartered in Minneapolis, Minnesota, recently did just that by adding a hands-on lab component to the capstone course for its BS in Information Technology, Information Assurance and Cybersecurity program.  One of their over-arching design goals was to make the course as close as possible to the “real world” of cyber security work. We are proud that they chose Project Ares by Circadence to deliver this critical element.

In a recent Circadence webinar, Dr. James W. Barker, Adjunct Faculty in the School of Business and Technology spoke in detail about the process the team at Capella went through to integrate Project Ares into their capstone course.  Project Ares enabled them to address three objectives:

  1. Give students hands-on practice using their cyber skills against a variable adversary
  2. Provide authentic learning scenarios that students could report on to demonstrate their knowledge of the attack and recommendations for future prevention
  3. Create an opportunity for teamwork and collaborative problem solving, which are essential skill requirements for cyber teams and hiring managers

“By the end of the second week of the course,” said Dr. Barker, “almost to an individual, students stated that this is the most realistic, engaging, and challenging course that they have taken.  One group was so engaged and motivated by working on the Project Ares platform that they completed their final group mission two weeks early.”

From his faculty point of view, Dr. Barker is pleased that Capella has delivered the equivalent of a formal cyber security internship and cannot envision a better means of exposing their learners to “real world” security work.  And Capella isn’t stopping here; they are considering plans to incorporate Project Ares learning exercises into other courses at the undergraduate and graduate level.

Check out the webinar where Dr. Barker shares more about how he set up the course syllabus and learn more about the power of Project Ares as an on-demand and hands-on learning platform ​that uses cyber range-as-a-service technology to deliver Virtual Machine-based cyber security training exercises.

 

Photo Credit: Thanks to Joshua Ness for sharing their work on Unsplash.

3 Ways Tech Companies Can Improve the Talent Acquisition Process

It’s reasonable to correlate the quality of the talent acquisition process to the quality of employees in the company– which is tied to the success of the company. Yet, there is currently a shortage of qualified experts in field of cyber security and there has been for quite some time. And while tech companies have pulled back the reins on hiring tech talent due to the economic consequences of the coronavirus outbreak, reports CBNC, more emphasis is being placed on preserving team member jobs and revitalizing the hiring process as we all prepare to re-open and heal. Out of the chaos of recent events comes opportunity and tech companies are showing more resilience than ever as tech leaders identify pragmatic ways to staff up. We’ve got three foundational tips to help hiring managers and senior cyber security / IT leaders fill their cyber talent and candidate pools with qualified professionals who not only look good on paper, but can demonstrate their qualifications.

But before we dig into those recommendations, let’s establish some context first.

State of the cyber security talent in the tech sector

The role of the cyber security professional continues to develop and gain more authority and responsibility as the security landscape and the integration of business and technology evolves.

When we look at the current climate of cyber security jobs in the U.S., we see bleak yet in-demand overtones. Finding qualified cyber talent and candidates is very much like searching for a needle in a haystack for hiring managers and recruiters.

  • It takes an average of 3-6 months to fill a cyber security job position (Dark Reading)
  • In 2019, there were over 700,000 unfilled IT jobs in the U.S. (CNBC)
  • Employment of computer and information technology occupations is projected to grow 12 percent from 2018 to 2028 (Bureau of Labor Statistics)

While all companies likely struggle to find qualified cyber talent, the technology sector has its own unique set of challenges that are important to discuss and be aware of. Emerging technology, disruptive tech, the sheer evolution and the fast-paced nature of the industry make it hard to find candidates who have experience and knowledge in specialized areas of technology­–many of which are just now becoming adopted into businesses.

IT, security managers, operators and human resource leaders realize that:

  1. they need to focus on filling positions with quality candidates who can demonstrate their skills in a skills-deprived landscape
  2. to achieve that objective, more can be done in the recruitment and hiring phase.

Okay, let’s talk about those recommendations now. And if you have more suggestions based on what’s worked with your company, let us know!

Promote from within

The first logical step in filling a cyber position is to promote from within the company. It saves on time and cost to recruit. There may be IT generalists in your company who desire to take their career to a new level in cyber security and you’re just not aware of it (…and may have the aptitude and willingness to learn).

If an IT generalist is interested in filling a needed cyber security position (e.g. information security engineer, network architect, systems analyst), consider giving them a project to test their skills and ambition and see how they do. More on this in a second.

To promote from within, ensure you’ve communicated the requirements of the position clearly to the company across all departments. People in cyber security positions come from all walks of life: computer science, history, military, political science, yes, even fields like philosophy. Yet they all have one thing in common: They share a deep and abiding interest in how technology works, notes Cyber Degrees.

So find those individuals who are looking to grow into a new position within the company and interview them. You may be surprised to learn there are passionate people willing to learn and grow, right in your own company ‘backyard.’

Test skills during the interview process

Allow candidates the opportunity to demonstrate what’s on their resumé. Online cyber training platforms like Project Ares can help HR managers and decision makers ‘see’ how a prospect might tackle a realistic cyber security issue.

·     Evaluate candidate skills in real-time against resumé credentials

·     Assess cyber competencies against other candidates and co-workers

·     Identify strengths in cyber technique, tactics, and procedures

By completing a set of tasks or activities that put skills like digital forensics, Linux skills, ports and protocols, and regular expressions work, candidates can show employers what they know and how they work before they even move on to a second or third interview. It’s one thing to talk about your experience, it’s another to actually apply it in a realistic setting.

Use Project Ares to support internal hiring processes

Circadence’s Project Ares platform helps HR decision makers assess candidate skills and competencies in various aspect of cyber security. And the platform can work for both internal recruitment and external recruitment. If promoting from within and you identify interested candidates who may or may not have a rich cyber background, you can use the platform’s cyber learning games and foundational scenarios to learn aspects of cyber security and security operations in ‘safe’ cyber range environments. If candidates demonstrate a willingness to learn in the platform, that is a good sign. If they are able to follow the guidance and instructions and apply critical thinking to complete the scenarios in the platform, even better. Hiring mangers can literally ‘see’ how an internal candidate responds to the act of learning and one can glean a lot about a candidate’s fit for the position simply through this effort of cyber aptitude testing.

Use Project Ares to support external hiring processes

The same applies for external hiring of cyber security professionals. Hiring managers and cyber security leaders can use Project Ares foundational and specialized scenarios to teach certain cyber skills they are looking for. If you’re looking to fill a position that aligns to a NIST/NICE work role, several exercises in the platform can address those specific skill sets. Further, the Assessment Reports can help HR professionals evaluate candidate strengths and compare those results against other candidates who have engaged in the platform to identify the best company cultural fit and skills fit.

·     Nurture qualified candidates in the platform

·     Retain top talent with professional skills development efforts in the platform

A Wall Street Journal article, sums up the ‘what’s next?’ to these challenges, succinctly:

Tom Gimbel, CEO of LaSalle Network Inc., a technology staffing and recruiting firm, said that once the crisis fades he expects a rebound in tech hiring as businesses seek out technology tools to cut costs and eke out efficiencies during a prolonged economic recovery.

“While new product implementations will slow down, we will see strong hiring of corporate IT, infrastructure, development and security roles,” Mr. Gimbel said.

How person-centered cyber training supports threat prevention in financial companies

Cyber security threats and preventive measures go hand-in-hand. Yet cybercrime continues to impose threats on the financial industry. Financial services firms are 300 times as likely as other companies to be targeted by a cyberattack,” according to a report by the Boston Consulting Group. These threats can arise at any time and occur through various sources (external sources such as hackers, and internal sources such as staff members and contracted employees). Some financial companies have developed action plans with steps to take if a cyber-attack strikes, but cyber security best practices also includes establishing and initiating threat prevention methods. One example of a threat prevention method is person-centered cyber training.

Statistics show that cyber threat prevention is an immense pain point for many financial companies. In a survey of 400 security professionals in financial services, it was observed that financial institutions are better at detecting and containing cyber-attacks and less efficient at preventing them. Almost 56% of financial institutions are useful in detection, and only 31% are good at prevention.

Financial services institutions must understand how to prevent cyber threats, which may require a ground-up approach.

Financial institutions can take immediate measures to engage in threat prevention methods with person-centered training. This type of training allows an IT or cyber professional to practice and hone skills by learning specific cyber lessons pertinent to the financial sector and applicable to their job role. The more upskilled the professional, the more they will be able to protect the company and company assets. A current platform that offers specific job role training is Project Ares.

Person-Centered Training with Project Ares

Circadence’s Project Ares is a browser-based learning platform designed for teaching cyber security in an engaging and hands-on applied method. This platform offers gamification and AI to train employees on the latest cyber threats and attacks. Project Ares is made up of foundational and specialized scenarios in the form of battle rooms and missions that address current cyber threats in the financial sector. The lessons within Project Ares are developed with specific job roles in mind.

For example, various scenarios are developed with the theme of a financial service, so the trainee can learn the skills needed to prepare for a cyber threat. In these specific financial missions, the trainee will learn how to disable botnets, identify and remove suspicious malware, and protect the financial institution.

  • Mission 1 – Operation Goatherd “Disable Botnet” – Acting as a cyber mission force member, the trainee will access the command and control server of a group of hackers to disable a botnet network that is designed to execute a widespread financial scan triggering the collapse of a national bank.
  • Mission 4 – Operation Arctic Cobra “Stop Malicious Processes” – The cyber trainee will analyze network traffic and stop a malicious exfiltration process.
  • Mission 5 – Operation Wounded Bear “Protect Financial Institution” – The trainee identifies and removes malware responsible for identity theft and protects the financial network from further infections.

This individual or team-based mission training delivers collaborative skill-building experiences aligned to NIST/NICE work roles, ensuring the trainee meets specific cyber competencies. This kind of immersive, hands-on training gives learners the ability to practice various forms of threat prevention, which will benefit the company’s overall security posture in the long run.

The more trained cyber professionals are for their job roles, the more likely they will be able to safeguard against threats—and take proactive measures to better prevent cyber threats. If cyber professionals are prepared and well-informed with the right knowledge and skills in their toolbox, threat prevention will be more attainable and achievable for professionals on the frontlines of defense. Professionals will be able to spot a cyber threat, but also prevent cyber threats from breaking the bank.

 

Living our Mission: Circadence Collaborates with Academia and Army to Support Cyber Range Virtual Environment Replication and Construction with N/CRAF

Circadence announced in May 2020 the latest development of an automated network mapping tool for IT use, based on collaborative work with Mississippi State University engineers and researchers. Circadence has had a six-year partnership with the university and the Threat Systems Management Office of Redstone Arsenal (TSMO) and has worked on several projects over the years to solve challenges related to National Defense. We sat down with two of our Circadence personnel: Dwayne Cole, the JMN NOSC (Network Operation and Security Center) Operations Manager and Craig Greenwood, Project Manager with Opposition Force/Advanced Red Team Intrusion Capabilities to understand more about the tool and learn about the benefits it provides to the technology community at large.

The Netmapper/Cyber Range Automation Framework (N/CRAF) project started as two separate projects, Netmapper and CRAF. The projects were recently combined to form a new tool integrating two previously independent efforts:

  • Netmapper — Commissioned by TSMO, developed by Circadence in collaboration with Mississippi State University (MSU) Center for Cyber Innovation (CCI). Netmapper is a graphical tool for the scanning and configuration collection of network infrastructure and integration with NOSC automation.

 

  • Cyber Range Automation Framework (CRAF) — Developed by NOSC engineers to meet mission requirements for rapid and repeatable deployment and configuration of virtual environments. CRAF uses Ansible and other open source tools to instantiate virtual environments.

ncraf logo

N/CRAF Netmapper/Cyber Range Automation Framework is the enabling mechanism for effecting physical resource provisioning and virtual environment instantiation in a rapid and repeatable fashion. It supports the full lifecycle of cyber range virtual environment events.

The Netmapper project was born out of the need to improve the accuracy of Cyber Range emulated network environments. Craig noted that before N/CRAF, range environments were built from a subject matter expert’s assumption/belief of what their network looked like but inevitably those assumptions were never 100% correct. The network mapping process previously required a network administrator or engineer to draw a picture/map of the network which became the basis of virtualize environment used in the exercise(s). One can understand how there was room for error in this manual process – at the least, a small level of concern as to whether a network drawing and virtualization of it was indeed as realistic and accurate as possible.

As a result, Craig says, professionals training in the cyber range environments weren’t actually training on networks that were as ‘close to the real thing’ as possible. There was room to improve.

When automation engineers have real-world scanned networks as a reference, they can more accurately emulate the customers environment. Simply put, as Craig notes, “we took the assumption out of network mapping” with N/CRAF. Now the training moves ever closer to real world environment.

“Imagine scanning a network to extract the DNA which can be used to clone and re-build it” Circadence’s Dwayne Cole describes.

Combining the two programs (Netmapper and CRAF) enabled an iterative approach to cyber range environment build out that also drastically improved the end product. The scanning technology helps the automation engineers verify what they have built; it adds a check for the automation framework. It also can be used by the customer to validate the environment. The customer can easily compare the original design or scan versus the final emulated environment hosted on the Cyber Range.

With N/CRAF, it becomes easier for engineers to share their network models with one another and build out high fidelity networks to facilitate technologies assessments. N/CRAF saves everything to a single XML file to include all the configuration data.  The tool also supports merging and diff’ing the output files. The merge capability allows the engineer to take parts and pieces from other networks or events to add to the current event. This allows the engineers to build special purpose network sections, like synthetic internet or traffic generation, that can be reused/added to current event. N/CRAF is a force multiplier, it enables repeatable, tedious deployment and configuration tasks and improves the reuse of detailed environments for multiple users to train within.

The tool is currently undergoing an accreditation process and is being demoed within defense departments with the goal to deploy it as a standardized tool across various agencies. The potential for the tool to be used in more commercial applications is promising as well.

To read the project announcement issued by Mississippi State University, read the news release: https://www.msstate.edu/newsroom/article/2020/04/msu-circadence-partner-create-virtual-cyber-defense-tool.

 

 

 

Transform Fall Cyber Security Classes with Hands-On Learning

As educators blend classroom and online learning for safe fall course experiences, Project Ares helps get the balance right for teaching cyber security. Whether instructing cyber security courses remotely or in-person, Information Security and Cyber Security educators must make learning engaging and relevant to best prepare students for careers in the field.  Circadence can help educators transform existing cyber security curriculum to support teaching challenges with the Project Ares online learning tool.

An Educator’s Perspective: The Impacts of Distance Learning and Teaching, a Q&A with Dr. Bradley Hayes

We are continuously reminded of the stark reality that higher education teaching and learning is indeed different today than it was a few months ago. Since Circadence is committed to cyber security education and training, we try to stay on top of the latest developments with distance learning so that we can think through how to keep supporting cyber and information security teachers during this unprecedented pandemic time. We often hear from higher education partners and customers how much of a challenge distance learning and teaching can be, so we sat down with our own Dr. Bradley Hayes to hear firsthand what his experience has been like. Brad is the Chief Technology Officer at Circadence, and Assistant Professor in the College of Engineering and Applied Science, Director of the Collaborative AI and Robotics Lab at the University of Colorado, Boulder. We also solicited the perspectives of several other higher education teachers who were willing to share their thoughts on the challenges and opportunities to adapt to this ‘new normal’ of teaching and learning.

We hope by sharing his story with you, our readers, it can help ignite conversation and ideas that make teaching cyber security better for both educator and student.

How has distance learning requirements impacted you as a professor? Your class? Your teaching style?

Distance learning has been a massive shift for many of us, and certainly requires a different approach: preparing for it and delivering lectures as if it were an in-person class does not work! For many professors, the lack of in-person social cues is the most noticeable change, especially if students aren’t sharing their video. Delivering a lecture to a computer monitor is difficult enough, and removing the implicit feedback mechanisms of in-person instruction can exacerbate issues that wouldn’t normally be problematic in lecture delivery.

I teach a graduate class on the Algorithmic Foundations of Human-Robot Interaction in the Spring, which has been quite different now that there is greatly reduced human interaction (and no human-robot interaction!). I’ve certainly learned a lot, as I had to quickly transition to using robotics simulation environments (instead of having students use physical robotics platforms) and set student project teams up for effective remote collaboration on very short notice. Ultimately, I find that remote instruction is no substitute for in-person instruction, but it does encourage a more scalable mindset to assignments and mentoring that could have real benefit when we resume in-person classes.

Switching to remote lecturing has had substantial impacts on my teaching style as well. The following observations have risen to the top as key learnings:

  1. I tend to be very animated when teaching, which doesn’t particularly work as well over video and I feel has been detrimental to student engagement.
  2. I have found it takes extra effort to engage students with the material, particularly if they’re in an environment that isn’t conducive to focused learning.
  3. Encouraging more hands-on exercises can go a long way toward bringing their focus and attention back to the material, but this takes more advance preparation work than if it were an in-class exercise.

How are your students responding to the remote learning shift?

It’s been difficult for them, but to their credit, they’ve done a great job adapting to it. Social distancing and quarantine guidelines in general have caused a lot of upheaval in their lives, adding stress and instability that may not be outwardly obvious to us as their professors, which has necessitated a recalibration of expectations regarding coursework. One of the most important changes to keep productivity high was the adoption of real-time collaboration tools to facilitate group-work and bring more course material-relevant conversations into a more visible medium for others to benefit from and participate in. Even though most students were able to continue attending class synchronously (i.e., joining the video conference at our normal time), most of the interaction that would’ve traditionally happened in the classroom shifted into our online collaboration tools.

To be an online learner, one needs to be independent, disciplined, organized and communicative with questions, responses and/or if issues exist.  What can be a little frustrating is reaching out to students with no response…not knowing how they are doing; being worried about them, hoping they are ok – it is a TEAM approach in all aspects.  The students are paying for their education, thus, the importance of high communication and engagement from both student and instructor is paramount. ~ Julie A. Shay, MBA-HIN, RHIA, Program Director for Health Information Technology Programs/Lead Faculty/Professor – Santa Fe College

What was needed to make the transition to full remote teaching?

A chat-based online collaboration tool was absolutely essential, as this became the new forum for conversations that would naturally occur at the conclusion of the lecture when students would typically walk up to the lectern with questions or ideas to discuss.

These informal interactions can be approximated with post-class discussion through collaboration tools, though there’s an additional activation cost that requires priming from the instructor to kick things off. Another important consideration is the space from which you’ll be delivering your lecture: having a professional-looking environment with adequate lighting makes a big difference and can have a positive effect on student engagement.

What challenges came with transitioning to a remote classroom?

Since we go through a decent amount of complex mathematical derivations in my course, I had to weigh the advantages and difficulties of using a virtual whiteboard versus moving everything into slide format.

  • Personally, I’ve found the move away from the whiteboard to be advantageous in terms of clarity for the students.
    • It forced me to explicitly describe each step of what we’re going through in a clear, permanent way on slides that can be easily distributed.
    • Unfortunately, this makes it a lot more difficult to step through equations by letting students lead the process, as the smaller the ‘minimum revealing step’ in each equation is (e.g., do you reveal one character at a time, or one whole term at a time?) the more difficult and time-consuming it is to prepare in advance.

The biggest challenge has been tracking student engagement and understanding of the material. In the absence of social cues, the feedback loop becomes much longer, as assignments or tangible work products from student projects become the only measurable signal. Learning to properly take advantage of remote collaboration tools has also been a difficult process, as many of us are adapting on-the-fly, leading to trial and error that puts additional hardship on the students.

Understand that teaching in a remote environment will require a different leadership style and, in my opinion, that style is Transformational Leadership. In essence, this leadership style will require [the professor] to motivate and transform the mindset of the student to perform at a higher academic level…yet, remotely! ~ Dr. Eric Todd Hollis

What have you learned/observed throughout this distance learning process?

By far, the most important aspect of making distance learning work for students who are used to in-person instruction is to stay in communication with them, soliciting and listening to their feedback. Maintaining student engagement and keeping your students interested in the course material is more difficult from a distance learning perspective, and requires more effort than you may be used to! There is a common tendency to disengage entirely when feeling lost or demoralized by a class that is greatly exacerbated by the distance learning experience — it is critical to budget extra time and put in extra effort to connect with students who are at risk of disengaging.

Since in-class group exercises may not be an option anymore (especially depending on how lectures are being delivered), additional resources, creativity, and preparation are necessary. Specifically, this past semester has really underscored the importance of providing ‘hands-on’ learning experiences to foster engagement in lecture and encourage retention of the material. The addition of a simulation environment that students could interact with was a game-changer not just in terms of making concepts ‘real’, but also in terms of giving students the tools they needed to really apply and experiment with what they were learning. Once there is an opportunity to explore the course material in an interactive environment, I’ve found that students are far more likely to bring up new ideas for discussion or implementation, reinforcing their interest in the course content and leading to better outcomes.

What is one thing you’d advise other educators who are struggling to sustain distance learning for foreseeable future?

Learn how to set up and use established online collaboration tools and learning environments! This will save you a lot of time and headache over cobbling together your own while also trying to develop an adapted curriculum. Establish a cooperative atmosphere by being transparent with your students when trying a new pedagogical approach, and regularly solicit their feedback to refine your strategy.

In conclusion…

We thank Dr. Hayes for taking the time to share his personal successes and challenges with us and the great higher education community of teachers. To hear Dr. Hayes in ‘virtual’ person, we’ve extended this topic of distance learning challenges and tools into a live webinar panel discussion in partnership with Microsoft. Join us June 9, as we dig into the state of distance learning today and introduce technologies that can help educator’s adapt to a blended classroom teaching experience as we head into the Fall semester season.

REGISTER HERE: https://marketing.circadence.com/acton/media/36273/webinar-transform-distance-learning-through-creative-and-practical-technology-focus-on-cybersecurity-education

 

Photo by Brooke Cagle on Unsplash

Distance Learning and Teaching for Cyber Security Programs

Distance Learning Today

Practically overnight distance learning has become the ‘new norm’ for academic institutions. Educators worldwide are figuring out what Emergency Remote Teaching (ERT) means for their specific courses and subject matter for summer term and likely fall term 2020. And while the immediate remote learning requirements for pandemic mitigation will eventually recede, there is a growing awareness that online and blended learning options in Higher Education curriculum will likely be a strategic part of the post-pandemic norm.

“Every faculty member is going to be delivering education online. Every student is going to be receiving education online. And the resistance to online education is going to go away as a practical matter,” James N. Bradley, chief information officer at Texas Trinity University, wrote in a LinkedIn post.

Job opportunities in the cyber security field

Let’s take a specific look at higher education programs for Information Technology and the related cyber security discipline. For starters, they can’t graduate students fast enough to fill the existing job openings in the cyber security field. Even before the pandemic, there was a well-documented talent gap between the growing number of open cyber security jobs and skilled applicants to fill them. In November 2019, ISC2 calculated that the cyber workforce would need to increase by more than 145% to fill gaps in talent across the U.S.  Cyberseek.org tracks this unique employment landscape and states that “the average cybersecurity role takes 20% longer to fill than other IT jobs in the U.S.” because employers struggle to find workers with cyber security-related skills.

The dynamics of this gap have probably gotten worse. Today’s stay-at-home world has cyber security vulnerability written all over it. Online activities have exploded with remote work access, distance learning, telemedicine, video conferencing, online shopping, gaming, media streaming, and more all happening at once….and creating a world of opportunity for threats to identity, systems and data. And, in the post-pandemic world that we are looking forward to, many of the new and unexpectedly ‘proven’ activities like distance learning and telemedicine will likely stay with us to some extent as part of the ‘new norm’.

The result is that behind the physical coronavirus crises is the shadow of a virtual cyber virus crisis. And it means that cyber security is quickly moving to the frontlines of mission-critical skillsets for healthcare, higher education, retail, and every employer that enabled work-from-home for the safety of their workforce. Now, more than ever, organizations and institutions need to stop thinking in terms of IF they are breached and start planning in terms of WHEN they are breached.

Does that sound ominous? It is! But buried in the dramatic shortage of cyber skills, is opportunity. Opportunity for STEM/IT focused students (high school and collegiate) to specialize in cyber security and find jobs upon graduation. And opportunity for higher education institutions to ramp up their cyber security program enrollment.

  • In March 2019, Cyber Crime Magazine reported that only 3% of U.S. Bachelor’s Degree graduates had a skill set in cyber security.
  • And in another 2019 report, Burning Tree Technologies learned that while federal data showed the number of postsecondary programs in key cyber security areas had increased 33%, the ratio of currently employed cyber security workers to job openings, had hardly budged since 2015. In other words, the pool of available talent has remained proportionally the same.

 

Developing the cyber security skills that employers are desperate for is a multi-faceted challenge. Employers want to bring in new hires who have both a strong foundation in basic security principles and concepts as well as practical job role specific skills like networking protocols, scripting, regular expressions, kill chain and network defense, etc. And maybe most importantly, employers categorize top talent as those applicants with power skills like strategic thinking, problem-solving, teamwork and collaboration.

Distance learning and the IT / cyber security discipline

At Circadence, we specialize in cyber security learning, specifically through an immersive learning platform that provides hands-on experience and strategic thinking activities for students working towards careers in the field of cyber security.

Today’s educators are looking for engaging student activities that teach designated core curriculum topics to meet learning objectives. And, it is equally critical to assess student comprehension of learned material and measure progress to ensure the effectiveness of the curriculum and teaching approach. These challenges can be met head-on with Circadence’s Project Ares in the online classroom. Project Ares is a browser-based learning platform specifically designed for teaching cyber security in a hands-on, applied manner.

It can help transform existing cyber security curriculum to support current distance learning challenges as well as integrate into future course design.

For cyber security instructors:

•     The built-in learning exercises can augment existing syllabi.

•     Anytime access enables flexible asynchronous delivery to support current circumstances for instructors and students.

•     Self-directed student learning opportunities are supported through hints, Q&A chat bot, and session playback and review.

•     Optional live observation or interaction within the exercises supports tutoring as well as assessment.

•     Immersive, gamified environment sustains student engagement with scores and leaderboards to incent practice and improvement.

•     Global chat enables peer-to-peer community and support for students.

Additional Distance Learning & Teaching Resources

As higher education instructors shift to deliver, proctor and advise online, we anticipate teaching strategies continuing to adapt to use new and immersive tools that enable alternative online courses to positively impact student learning now and into the future. Circadence is excited to be a part of this shift in learning and proud to partner with today’s cyber security educators that prepares tomorrow’s much-needed workforce of cyber defenders.

For more information, check out these resources:

•     Microsoft technology helps enable remote classrooms https://www.microsoft.com/en-us/education/remote-learning?&ef_id=EAIaIQobChMIjrP4qvSQ6QIVlxatBh347wMJEAAYASAAEgL-VvD_BwE:G:s&OCID=AID2000043_SEM_6M11V6Kq&utm_source=google&gclid=EAIaIQobChMIjrP4qvSQ6QIVlxatBh347wMJEAAYASAAEgL-VvD_BwE

•     Circadence White Paper Teaching Cyber Security Remotely: Online Learning with Project Ares https://marketing.circadence.com/acton/media/36273/whitepaper-rise-of-distance-e-learning-in-higher-education

•     Project Ares Curriculum Example. Building an Immersive Cyber Curriculum with Project Ares: A use case from a public research institution in the Western U.S. https://marketing.circadence.com/acton/media/36273/immersive-cyber-curriculum-with-project-ares-use-case  

•     Cyberdegrees.org provides a comprehensive directory of colleges and universities offering cyber security degrees, as well as a wealth of information on career paths within the cyber security field, security clearances, the range of professional security certifications available.

If there is one thing that this pandemic has taught us all, is that out of chaos arises opportunity: Opportunity to be better professionals, better neighbors, better defenders, and overall, better people. We hope each of you continues to stay safe and secure during this time.

 

Photo by Avel Chuklanov on Unsplash

Cyber Security and Risk Mitigation Go Hand in Hand

Cyber Risk means different things to different people in an organization. Deloitte distinguishes it well: A CEO might worry about the expected financial loss related to cyber risk exposure; while the CFO is challenged to show the value of security while managing the associated costs. The CMO might worry about the impact to the brand if a breach to the company occurs; while the CISO is thinking about which key initiatives to prioritize to maximize risk buy down.  But one thing that savvy executives agree on is that cyber security is a business risk that should be included in corporate risk mitigation strategy and processes.

Cyber Risk Mitigation focuses on the inevitability of disasters and applies actions and controls to reduce threats and impact to an acceptable level.

Lisa Lee, Chief Security Advisor for Financial Services in Microsoft’s Cybersecurity Solution Group,  partnered with Circadence in April 2020 to talk about this topic in a webinar.  Originally broadcast for a financial risk mitigation audience, the practical advice Lisa offers in 6 areas of cyber risk mitigation is broadly applicable.

Cyber Risk Insurance

Insurance can help to reduce the financial impact of an incident, but it does NOT mitigate the likelihood of a cyber breach happening – in the same way that having car insurance helps with the financial consequences of an accident but cannot in anyway prevent an accident from occurring.

Identity and Access Management

Microsoft recommends making “Identity” the security control plane. Employees use multiple devices (including personal devices), networks, and systems throughout their lifecycle with a company. The explosion of devices and apps and users makes security built around the physical device perimeter increasingly complex.  At the same time, access to on-premise systems and cloud systems are shifting to transform to meet business needs.  Partners, vendor/consultants, and customers might also all require varying degrees of access.  A strongly protected, single user identity at the center of business for each of these constituents can exponentially improve the efficiency and efficacy of the overall security posture of the company.

Configuration and Patch Management

This is IT or cyber security 101.  Everyone should be doing it on a consistent basis.  But  20% of all vulnerabilities from unpatched software are classified as High Risk or Critical. The Center for Internet Security  is an excellent resource for more information on best practices.

Asset Protection (devices, workload, data)

There is a massive amount and diversity of signal data coming in from the network and there are many tools on the market to help assist in the collection, management, and assessment.  Lisa advised not to spend too much time trying to evaluate and select the best of breed tool in each category.  Rather, find a suite that works well together so that you don’t have to spend time on integration. Beyond devices, also consider your security policies and practices to ensure visibility for workloads across on-prem, cloud, and hybrid cloud environments.  And finally, consider protecting the information directly so that wherever data elements go, even outside the company, they carry protection with them.  The key to this is encryption.

Monitoring and Management

These two concepts are seemingly more about  ‘risk management’ vs. ‘risk mitigation’.  But monitoring helps you to ‘know what you don’t know’ in order to adapt and improve mitigation strategies.  And today, many of the monitoring tools from Microsoft and other vendors have features that enable cyber analysts to take action, i.e analysts can use the same tool that helps identify a vulnerability to then resolve it.

Cyber Security Training

Security is an ever-changing situation because bad actors are always developing new attacks.  Therefore, training and education is an ongoing requirement for cyber professionals.  Circadence’s Project Ares is a cloud-based learning platform specifically designed for continuous cyber security training and upskilling.   IT and cyber organizations that invest in on-going training for their people are making as strong an investment in mitigation as in the tool stack that the analysts use on-the-job.

With consideration in all 6 of these areas, you will be able to architect and compose a comprehensive cyber mitigation strategy.

Here’s a link to the full webinar.  It’s only 45 minutes long and Lisa provides more detail in each of these categories.

Great Dance Partners: How Cybersecurity and Risk Mitigation Go Hand in Hand

 

Photo by Toa Heftiba on Unsplash

Why Cyber Risk Mitigation is a Priority for Finance Leaders

The role of the CFO is evolving. Whether at a bank or credit union, today’s finance leaders wear many hats. One of which is a cyber security ‘hat’. Constant breaches within financial institutions warrant such a ‘wardrobe’. Insider threats are growing, outside adversaries are multiplying at rapid pace, and attacks on financial departments and companies are ever-increasing. Unfortunately, classic security controls like firewalls and antivirus are easily compromised as attackers become more sophisticated.

As threats increase, risks to businesses increase—and for CFOs and VPs of Finance, defining an adequate budget to account for those cyber risks and allocating proper resources is of the utmost importance to protect companies and its clients. Finance leaders are no longer siloed to reviewing financial statements and spreadsheets—their role extends far beyond the numbers to include cyber security.

Some CFOs may not be comfortable with this change but the reality of cyber security today mandates involvement from the CFO/VP of Finance to develop a cyber readiness strategy. Why are finance leaders critical to the cyber security conversation? Because many CFOs need to address and mitigate the business risk concerns of the C-suite , board , and investors (not to mention continuing to improve the ‘financial health’ of the company).

Any sort of digital compromise to a financial services company, results in damaging monetary and reputational outcomes that directly impact the financial function of the organization.

Hence why cyber risk mitigation is and should continue to be a critical priority for CFOs today. And for many, it already is: According to a 2019 study from Protiviti, 84% of global CFOs and VPs of Finance cited security and data privacy as a high priority[1] for them. Many CFOs are already taking the reins of the cyber security challenges to get ahead of looming risks and imminent vulnerabilities. How? By taking a more active role in defining cyber security strategy in a way that effectively hardens posture while ensuring company growth.

As such, the typical CFO responsibilities listed below, are only a part of many to come:

  1. identifying and monitoring risks of critical assets to protect company/client data
  2. ensuring critical infrastructure operations meet regulatory requirements
  3. contributing to the optimization of digital asset access and utilization to safeguard against attackers

That third responsibility may seem a tad ‘out of the norm’ for a CFO. Typically a CIO or CISO might be in charge of that objective. But as more financial services companies respond to digital transformation demands, data becomes a critical asset to protect. Much of that data “lives” on the devices that company employees use every day. CFOs should have a general awareness of who has access to what, where, and when and be aware of the policies in place that enforce security at all levels.

Since data is a valuable company asset, the CFO’s responsibility to ensure the financial ‘health’ of the company becomes much more complex as cyber security asset and risk management becomes a top priority. Security Boulevard writes “A modern CFO will have an excellent grasp on how an organization manages cyber security and will be able to ask the right questions.”[2] We agree!

For CFOs to make cyber security a priority, they are having to work across many lines of business within their organizations to contribute to the construction of a holistic cyber security program that has full buy-in from all employees (leadership/C-Suite included).

Learn how to prioritize risk mitigation in your financial services company.

Further, CFOs bring a unique perspective to the ‘building a culture of cyber security’ conversations as they are extremely committed to helping the company grow. While CFOs may not be cyber security experts, they do have a unique take on how and what solutions to invest in that will maximize the potential for company growth over time.

By working hand-in-hand across departments like IT and legal, CFOs and finance leaders can develop a holistic cyber security plan that goes beyond merely ‘evaluating cyber insurance coverage’. A huge part of strategic cyber planning includes understanding what current companies are doing to mitigate cyber risk. Foundational elements need to be established first.

While cyber insurance is a good start, other measures need to be taken to ensure that companies are not just reacting when threats occur, but instead, are taking proactive measures to get ahead of threats before they hit. A proactive approach should also include the adoption of a persistent cyber security training program to support frontline defenders who are doing the day-to-day defense against ambitious yet malicious adversaries.

With the right cyber security training in place, teams can be assessed on their abilities to identify and mitigate risks before they happen, while supervisors (e.g. CISOs) can glean insight into how teams are responding and areas for improvement. This intel can translate upward to the CFO who will need to know the risks associated with gaps in cyber security response.

 

Check out our webinar:
Great Dance Partners: How Cyber Security and Risk Mitigation Go Hand-in-Hand.

[1] https://www.cfodive.com/news/cybersecurity-is-latest-cfo-domain-study-finds/567056/

[2] https://securityboulevard.com/2019/08/is-it-critical-for-cfos-to-understand-cybersecurity-2/

Photo by Carlos Muza on Unsplash