Human Resources Takes on Cyber Readiness: How to Mitigate Cyber Risks with Security Awareness Training

Reading Time: 4 minutes

Every year hackers come out of the woodwork to target various companies, specifically around the holiday season. In fact, cyber attacks are estimated to increase by as much as 50 – 60% over the holidays. With staff often spread thin and consumers taking advantage of online shopping and banking for added convenience, the timing is perfect for HR professionals to stay vigilant with how they onboard new employees with cyber education while encouraging good cyber hygiene among existing colleagues. Understanding the risks employees come across while online, how to train them to detect and mitigate these risks, and how you as an HR manager can ensure continued efforts to harden security posture will make you a cyber safety hero this holiday season!

While IT and cyber professionals are primarily responsible for securing a company’s networks and ensuring teams are up to snuff, the reality is that cyber risk extends beyond what occurs in the server room. Human error continues to be one of the top reasons cyber attacks are successful. This means that not only do security teams need to be trained, but cyber training across every department, with every employee who works on a computer, is essential to obtain and maintain good cyber hygiene across the company. If every employee in your organization understands how their actions can impact overall company security, more personal responsibility will be taken to maintain cyber safety.

Don’t fret! HR professionals need not be masters in cyber security. There are great tools out there to help anyone learn the basics and be able to share their foundational learning with others. So, what are some of the things you can learn and train employees on to mitigate attacks?

  • Phishing emails – With inboxes flooded daily, it can be hard to spot potential threats in emails. Hackers send targeted emails that may address a work-related matter from a co-worker or manager. One click on the wrong email, and you could be infecting your business device with malware. It is important every employee understand what suspicious emails “look” like and how to avoid nefarious click bait.
  • Using company devices for personal work – It’s an easy thing to do – grab a work device off the counter and start online shopping, emailing friends and family, or finally getting around to baking that chocolate chip cookie recipe from Martha Stewart. However, accessing un-secured sites and opening personal, and potentially phishing, emails on a work computer puts companies at risk. As an HR manager, you must recognize this common occurrence and be able to speak to it with your staff. If a hacker is able to gain access to a business computer through an employee’s personal use, they gain access to all of the company information on that employee’s device as well.
  • Using personal devices to conduct business – The same can be said for using personal devices to conduct business. It can be difficult to “turn off” after work hours and many employees answer some work emails on their cell phone, or load a work document on his/her personal tablet or laptop. When company staff access potentially sensitive business documents on their personal device, they risk leaking that information to a hacker. To prevent attacks company-wide, HR pros must be aware of how often this type of behavior occurs and work closely with their IT department to learn how company networks are secured when remote access is granted to employees outside of home and work IP addresses.

HR managers: Spread good cyber hygiene!

Security awareness training is becoming increasingly prevalent at companies that know what it takes to have good cyber hygiene. According to a recent report by Infosec, about 53% of U.S companies have some form of security awareness training in place. While this is still barely over half, it’s a start. So what can you do to rank among companies leading the charge in cyber security?

  • Offer continuous training – Cyber security awareness training is not a “one and done” event. This kind of training should continue throughout the year, at all levels of an organization, and be specific to different job roles within the company. Technology is always changing, which means the threatscape is too. When you are battling a constantly shifting enemy, your employees need to be vigilantly trained to understand each shift.
  • Perform “live fire” training exercisesLive fire exercises (LFX) happen when users undergo a simulated cyber attack specific to their job or industry. One example is having your IT department send out a phishing email. See how many people click on it and show them how easily they could have been hacked. This data can be used to show progress, tailor problem areas, and train to specific threats as needed.
  • Stress the importance of security at work and at home – Showing employees the benefit of cyber awareness in the workplace translates to awareness at home as well. Help prospective and existing employees gain a wide breadth of understanding about cyber best practices by making learning approachable instead of unattainable or intimidating.
  • Reward good cyber hygiene – Reward employees who find malicious emails or other threats with your company’s IT team and share success stories of how employees helped thwart security issues with vigilant “eyes” on suspicious activity. Equally, it is important to also empathize with employees who make mistakes and give them the tools to learn from their mistakes. Many employees receive hundreds of emails each day, and while training tips and education are helpful tools, it is not a perfect solution.

Training employees to be cyber aware can be difficult unless a structured program and management strategy is in place. We’re here to help! Circadence’s security awareness platform, inCyt, is coming soon! inCyt allows employees to compete in cyber-themed battles and empowers them to understand professional and personal cyber responsibility. By cultivating safe cyber practices in virtual environments, HR managers can increase security awareness and reduce risks to the business.

To learn more and stay in the know for upcoming product launches, visit www.circadence.com

Photo by Austin Distel on Unsplash

Photo by Alex Kotliarskyi on Unsplash

Living our Mission: Project Ares Takes Full Flight with Cloud-Native Architecture

Reading Time: 4 minutes

According to CIO magazine, about 96% of organizations use cloud services in one way or another. In partnership with Microsoft, we are proud to announce that Circadence has redesigned its Project Ares cyber learning platform to fully leverage a cloud-native design on Microsoft Azure.  This new, flexible architecture improves cyber training to be even more customized, scalable, accessible, and relevant for today’s professionals.

This transition to cloud infrastructure will yield immediate impacts to our current customers.

  • Increased speeds to launch cyber learning battle rooms and missions
  • Greater ability to onboard more trainees to the system from virtually any location
  • More access to cyber training content that suits their security needs and professional development interests

Proven success at Microsoft Ignite

At the recent Microsoft Ignite conference (November 2019), more than 500 security professionals had the opportunity to use the enhanced platform.  Conference participants set up CyberBridge accounts and then played customized battle rooms in Project Ares. Microsoft cloud-based Azure security solutions were integrated into the cloud-based cyber range to provide an immersive “cloud-in-cloud” sandboxed learning experience that realistically aligned to phases of a ransomware attack.  The new version of Project Ares sustained weeklong intensive usage while delivering on performance. 

So what’s new in the new and improved Project Ares?

Curriculum Access Controls for Tailored Cyber Learning

One of the biggest enhancements for Project Ares clients is that they can now control permissions for  training exercises and solution access at the user level. Customer Administrators will use the new CyberBridge management portal to tailor access to Circadence training exercises for individual users or groups of users.

Single-sign-on through CyberBridge enables the alignment of training exercises to individuals based on their unique learning requirements including:

  • Cyber skill-building exercises and complex missions within Project Ares for cyber professionals
  • Cyber foundation learning with Cyber Essentials tools for the IT team
  • Security awareness training with inCyt for general staff

Cyber Essential learning tools and the inCyt game for security awareness will be added to CyberBridge over the next several months. With the capability to pre-select training activities reflective of a company’s overall security strategy, enterprise security managers can call the shots.

“As the administrator, you now choose what curriculum content your team should have. “This provides more flexibility in cyber training for our customers in terms of what they can expose to their teams.” ~ Rajani Kutty, Senior Product Manager for CyberBridge at Circadence.

Greater Scalability and Performance in Cyber Training

With a cloud-native architecture design, Project Ares can support more simultaneous users on the platform than ever before. Project Ares can now handle over 1,000 concurrent users, a significant improvement over historical capacity of 200-250 concurrent users on the platform.  The combination of  content access control at the group or individual level and the increased scalability of Project Ares creates a solution that effectively spins up cyber ranges with built-in learning exercises for teams and enterprises of any size.  Additionally, this means that no matter where a cyber learner is geographically, they can log on to Project Ares and access training quickly. We see this as similar to the scalability and accessibility of any large global content provider (e.g. Netflix)—in that users who have accounts can log in virtually anywhere in the world at multiple times and access their accounts.

Now that Project Ares can support a greater volume of users on the platform, activities like hosting cyber competitions and events for experts and aspiring security professionals can be done on-demand and at scale.

“We can train more people in cyber than ever before and that is so impactful when we remember the industry’s challenges in workforce gaps and skills deficiencies.” ~ Paul Ellis, Project Ares Senior Product Manager at Circadence

The previous design of Project Ares required placing users in “enclaves” or groups when they signed on to the system to ensure the content within could be loaded quickly without delay. Now, everyone can sign in at any time and have access to learning without loading delays. It doesn’t even matter if multiple people are accessing the same mission or battle room at the same time. Their individual experience loading and playing the exercise won’t be compromised because of increased user activity.

Other performance improvements made to this version of Project Ares include:

  • Quicker download speeds of cyber exercises
  • Use of less memory on user’s computers, and resulting longer battery life for users, thanks to lower CPU utilization.
  • These behind-the-scenes improvements mean that training can happen quicker and learning, faster.

New Cyber Training Content

One new Mission and three new Battle Rooms will be deployed throughout the next few months on this new version of Project Ares.

  • Mission 15, Operation Raging Mammoth, showcases how to protect against an Election attack
  • Battle Rooms 19 and 20 feature Splunk Enterprise installation, configuration, and fundamentals
  • Battle Room 21 teaches Powershell cmdlet (pronounced command-lets) basics

Mission 15 has been developed from many discussions about 2020 election security given past reports of Russian hacktivist groups interfering with the 2016 U.S. election.  In Operation Raging Mammoth, users are tasked to monitor voting-related systems. In order to identify anomalies, players must first establish a baseline of normal activity and configurations. Any changes to administrator access or attempt to modify voter registration information must be quickly detected and reported to authorities. Like all Project Ares Missions, the exercise aligns with NIST/NICE work roles, specifically Cyber Defense Analyst, Cyber Defense Incident Responder, Threat/Warning analyst.

Battle Rooms 19 and 20 focuses on using Splunk software to assist IT and security teams to get the most out of their security tools by enabling log aggregation of event data from across an environment into a single repository of critical security insights. Teaching cyber pros how to configure and use this tool helps them identify issues faster so they can resolve them more efficiently to stop threats and attacks.

Battle Room 21 teaches cmdlet lightweight commands used in PowerShell.  PowerShell is a command-line (CLI) scripting language developed by Microsoft to simplify automation and configuration management, consisting of a command-line shell and associated scripting language. With PowerShell, network analysts can obtain all the information they need to solve problems they detect in an environment. Microsoft notes that PowerShell also makes learning other programming languages like C# easier.

Embracing Cloud Capabilities for Continual Cyber Training

Circadence embraces all the capabilities the cloud provides and is pleased to launch the latest version of Project Ares that furthers our vision to provide sustainable, scalable, adaptable cyber training and learning opportunities to professionals so they can combat evolving threats in their workplace and in their personal lives.

As this upward trend in cloud utilization becomes ever-more prevalent, security teams of all sizes need to adapt their strategies to acknowledge the adoption of the cloud and train persistently in Project Ares. You can bet that as more people convene in the cloud, malicious hackers are not far behind them, looking for ways to exploit it. By continually innovating in Project Ares, we hope professionals all over the globe can better manage their networks in the cloud and protect them from attackers.

Predictions for Cyber Security in 2020

Reading Time: 5 minutes

The dynamic world of cyber security is prompting a new shift in focus for security execs and frontline defenders as we head into a new year in 2020. Given the rapid pace by which enterprises have adopted Cloud computing services to improve operations, the frequency of threats and attack methods, and the widening skills gap facing many industries, we expect 2020 will finally be the Year of Preparedness & Cyber Proactivity—from the CISO, to the Director of Risk Management, to the Network Analyst professional—and we’ll tell you why.

A recent report from ICS2 noted that the cyber security industry now faces an estimated shortfall of 4.07 million cyber professionals. In the U.S. alone, the industry is expected to have more than 490,000 unfilled cyber positions in the coming years. While the great debate continues as to whether we really have a “skills gap” problem or if we need to loosen the reins on job requirements and lower candidate qualification expectations, one thing is for sure—today’s (and tomorrow’s) cyber professionals will need help in combatting imminent threats to harden cyber security in 2020. To facilitate their preparedness strategy, we envision proactive tools and resources will become more mainstream to help professionals do their jobs with greater efficiency leveraging automation, to support expanding security provisions, compliance requirements, and minimize the widening attack surfaces.

Automation will become the preferred way to support security operations

Whether a security manager has 1,000 defenders on their cyber team or one, automating certain administrative tasks for these individuals will be a goal focus in 2020. Directors, managers and cyber team leads understand that threats are getting so sophisticated that network defenders and security analysts need as much help as possible.

Our own Battle Room Design Team Lead Matt Suprenant anticipates enterprises will be finding ways to “automate responses to detections” observing at the Microsoft Ignite event in Nov. 2019 that Microsoft toolsets on display were designed with automation in mind.

“As we think about the future of cyber, we will see a combination of things start working together as we learn more about AI, SOAR, and other mechanisms by which we can augment today’s workforce.” ~ Battle Room Design Team Lead, Matt Suprenant

Cloud adoption will be growing across all security sectors

In 2019, we predicted more enterprises would shift to the cloud for a more seamless and elastic security experience. Reports indicate that about 90% of businesses today are using the cloud to conduct operations from simple file storage to sales transactions in the cloud. So what’s next? Security divisions will be leveraging the cloud to train their professionals on the latest cyber threats and attacks in 2020. Cyber training in the cloud will likely become one of the new ways Cloud computing will be leveraged in 2020 since teams need persistent and always-on access to training (moving away from the one-and-done on-site classroom-based training offerings of today). The future of cyber training will occur in the cloud.

Don’t believe us? Hear the benefits of training in the Cloud in our webinar.

Renewed focus on security awareness training for all employees

Human resource managers and risk and compliance managers will work more closely together to design their own security training programs to nurture incoming talent and existing staff. Another cyber security prediction in 2020 will indeed be around this topic, as HR managers and Risk and Compliance managers identify new ways to educate all employees (not just the IT staff) on cyber risks, attack methods, and how to spot suspicious emails (phishing attacks), links, website, and other digital assets related to endpoint security.

“I hope the prioritization of training and education continues to increase; I hope the prioritization of security as a pillar of someone’s organization continues to get recognition. I think we’re coming out of a phase where organization’s felt that could just ignore the elephant that’s stomping around their data center. I’m hopeful we’re moving into this position that people are being more generally aware [of their digital activity online], not just on paper, but that [cyber security readiness and training] needs funding and collaboration…The industry is moving toward recognition that this is where priorities lie.” ~ Megan Daudelin, Team Lead, Curriculum Development

Election Security will dominate discussions

Years ago, ballot fidelity was the issue to solve but now, election security is the hot ticket item to address in cyber security in 2020. The breadth and diversity of counties means election security isn’t managed the same way, putting all elections at greater risk of interference. Russian cyber criminals have been able to gain access to voting systems around the country, most notably in the 2016 election. As we head into an election year, election security pros will be understanding vulnerabilities in voting machines and (ideally) replacing such machines using congressional funds, which granted $380 million to upgrade old voting systems.

We also anticipate both election volunteers and frontline election security tally monitors and processors will desire more cyber training and education to ensure they’re doing their part to stay vigilant against any suspicious activity that comes in their purview.

Increased Attacks on IT/OT automated systems, state local governments

Municipal ransomware attacks on cities was a big occurrence in 2019 and we don’t envision it’s going to stop in 2020. A CNN news article reported that over 140 local governments, police stations and hospitals were held hostage by ransomware attacks in 2019. As more entities run by and are funded/informed by state and local government organizations, automated operations of network security will be more prevalent to streamline workforces and workloads, thus, increasing the chances of cyber attacks occurring on those systems. To prevent data breaches and make cyber readiness a top priority, live fire cyber exercises will be leveraged to bring together cyber security experts across departments and teams, divisions and functional areas of critical infrastructure and government operations.

We will continue to see a rise in targeted ransomware attacks, especially against small to medium size public entities like utilities, governments, and hospitals. Too many are just paying the ransom because it is far cheaper to do that than fix it, even if you have backups. ~ Paul Ellis, Senior Product Manager

What do we do to harden cyber security in 2020?

Educate, educate, educate. Train. Train. Train.

That is our recommendation for security leaders, managers, and frontline defenders who are heading into 2020 trying their best to anticipate the next threat vector or patch a vulnerability.

The more companies can educate their non-technical staff about cyber issues and suspicious activity while IT teams and security divisions regularly train/upskill their defenders the better off enterprises will be.

It’s important to remember that cyber security in 2020 and beyond is not a “do this thing and you’re secure” effort. Cyber security and hardening posture is a JOURNEY, not to be taken lightly or without concern.

For enterprise security teams who want to understand more about how Project Ares can support cyber learning in mission scenarios that address election security, ICS/SCADA systems, and experience learning against automated adversaries in the Cloud, schedule a demonstration of Project Ares today.

For HR managers and Risk and Compliance directors seeking ways to implement a company-wide security awareness training program using gamification, check out our inCyt platform (Available soon).

 

Photo by Ramón Salinero on Unsplash
Photo by Shahadat Rahman on Unsplash

Living our Mission Blog Series: How Tony Hammerling, Curriculum Developer, Orchestrates a Symphony of Cyber Learning at Circadence

Reading Time: 3 minutes

Circadence’s Curriculum Developer Tony Hammerling wasn’t always interested in a career in cyber—but he was certainly made for it. In fact, he initially wanted to be a musician! While his musical talents didn’t pan out for him early in his career, he quickly learned how to create unique harmonies using computers instead of instruments…After joining the Navy in 1995 as a Cryptologist and Morse Code operator, he transitioned to a Cryptologic Technician Networks professional where he performed network analysis and social network/persona analysis. It was there he learned more offensive and defensive strategies pertinent to cyber security and was introduced to network types and communication patterns. He moved to Maryland to do offensive analysis and then retired in Pensacola, Florida. The world of cyber grew on Tony and he enjoyed the digital accompaniment of the work it offered.

For the last few years, now settled in Pensacola, Florida, Tony is a critical part of Circadence’s Curriculum Team, working alongside colleagues to develop learning objectives and routes for players using platforms like inCyt, Project Ares, and other cyber games like NexAgent, Circadence’s immersive network exploration game. Currently, Tony and his team are focused on building out learning of network essentials in NexAgent, and “…are bridging the gap between what new IT professional’s learn in NexAgent and getting them onto more advanced learning pathways in Project Ares,” says Tony.

“We’re starting to introduce new content for [Project Ares] battle rooms so users coming out of NexAgent can have an understanding of the tools and techniques needed for more advanced learning of cyber defense—and actually apply those tools and techniques in realistic scenarios.”

As the technical subject matter expert for cyber curriculum, Tony digs into the details with his work—and that’s where he shines. Tony and his team ensure that user learning is reflective of today’s cyber attacks and vulnerabilities. In the next iteration of NexAgent, users will be able to focus on network segmentation using election security as the theme for game-play. From separating election polling servers to working with registration databases to designing networks to prevent election fraud, learning becomes much more interesting for the end-user.

The most exciting part about Tony’s job is the diversity of material he gets to work on every day. One day he could be helping end-users of Project Ares identify fraudulent IP addresses in a battle room and another day he could be working on a full-scale technical design of a SCADA system modeled after a cyber incident at a Ukrainian power plant.

By understanding corporate demands for new content, Tony and his team have more direction to build out cyber learning curriculum that aligns to customer’s needs. He believes the technical training he’s able to support with learning material in Circadence’s platforms complements traditional cyber learning paths like obtaining certifications and attending off-site classes. The variety of learning options for users of all cyber ability levels (both technical and non-technical), gives professionals the opportunity to be more thoughtful in their day-to-day lives, more critical and discerning of vulnerabilities and systems, and more creative in how they address threats.

“Knowing that people are able to come into a Circadence product and learn something that they didn’t know before or refine specific knowledge into an application/skill-based path is exciting. I don’t think too much of the greater impact my work provides—but perhaps 10 years down the line when we can say ‘we were the first to gamify and scale cyber training,’ it will mean so much more.”

We are grateful for the unique talents Tony brings to the Circadence family of products and how he’s able to craft learning “chords” that when orchestrated, provide a symphonic concerto of cyber learning activity—empowering cyber professionals across the globe with relevant, persistent, and scalable cyber training options to suit their security needs.

Photo by Marius Masalar on Unsplash

Photo by Alphacolor on Unsplash

 

Why Cyber Security is Important for Higher Education Institutions

Reading Time: 3 minutes

It might surprise you to know that the education industry is a prime target for malicious hackers. While threats in this sector are on the rise, many education institutions are not prepared for a cyber attack nor do they know how to recover from one. In fact, there were 122 cyber attacks last year at 119 K-12 public education institutions, averaging out to an attack every three days. A 2018 Education Cyber Security Report published by SecurityScorecard also found that of 17 industries, the education sector ranked dead last in total cyber security safety. Schools are leaving themselves open to student and faculty identity theft, stolen intellectual property, and extremely high cost data breach reconciliation. In fact, a study done by the Ponemon Institute shows the average cost of a data breach in the education sector is $141 per record leaked.

This industry faces some unique cyber security challenges:

  • Historically, this industry is based on the free exchange of information, i.e the philosophy that information should be readily available to all. The use of computers and internet in education has allowed information to be stored and accessed in many different ways, creating vulnerabilities in storage, network security, and user error which leaves systems susceptible to hacks.
  • Students and staff may have limited technical skills and prowess to know how to stay safe online.
  • Online education systems are highly distributed across multiple schools in a district or across state lines, making it easier to infect one system to gain access to all.
  • Computer systems used by schools often lack a single application, or “source of truth” to safely manage student and employee identities.
  • There’s a significant change in the user population every year due to students graduating and new students enrolling, making it difficult to track who is using certain resources and who has access to them.
  • Remote access is often required, with students and parents accessing systems from home computers and smartphones. When you access an online resource repeatedly from potentially vulnerable or unsecure networks, it creates more opportunity for hacks.

So how can educational institutions better protect themselves against looming cyber threats?

  • Shift the focus to prevention instead of mitigation – by making the focus on securing data before an attack happens rather than after, organizations will be better prepared to protect students and staff against a breach.
    • IT directors and security operators within educational institutions would be wise to consider persistent training solutions for their teams to optimize existing cyber skills so they don’t go “stale” after a period of time.
    • Likewise, perform a security audit and work across departments to understand all the digital systems in place (financial, teacher, student portals, etc.) and where vulnerabilities might exist.
    • HR departments of institutions should consider updating or adopting employee security awareness training to ensure every education-employed professional working on a computer understands the basics of cyber security and how to stay safe online.
  • Minimize internal threats – Verizon’s 2019 Data Breach Investigations Report found that nearly 32% of breaches involved phishing and that human error was the causation in 21% of breaches. Proper and continued training and awareness around security issues is key in preventing possible attacks.
  • Make cyber security a priority in IT budgeting – Schools and other educational institutions need to recognize the growing cyber threatscape and prioritize allocating funds to training tools, IT teams, and continued education for internal staff.

Circadence is here to help. Our immersive, gamified cyber learning platform, Project Ares, can help ensure that your cyber team is ready to defend against malicious attacks, and our inCyt product (coming soon!) will keep everyone else in your organization up to snuff on cyber defense and offense. We pair gamification with prolonged learning methods to make learning and retaining cyber security tactics simple and fun for all. Don’t let your institution and students be next in line for a breach–think inCyt, and Project Ares when you think cyber security for the education sector!

If you’re still looking for more information on education and cyber security, check out these handy references:

DOWNLOAD WHITEPAPER

Photo by Vasily Koloda on Unsplash

Living Our Mission Blog Series: Building Hyper-Scalable Cyber Training Experiences with Randy Thornton, Enterprise Architect at Circadence

Reading Time: 3 minutes

A newly minted Engineering Fellow, Randy Thornton has dedicated his craft to software development for over 30 years. His passion for learning and using new technologies is evident in Circadence’s cyber range platform, Project AresÒ.

Randy joined Circadence in 2005 when the company was selling its WAN Optimization product, MVOÔ. His background in scientific computing software for CAD/CAM, telecom, and seismology have all been brought to bear to transform Project Ares from a mere cool idea that met unique market demands, to now, a full-fidelity, hyper-scalable range training tool for cyber security professionals used worldwide.

Randy and Circadence: Then and Now

In the beginning, there were about four Circadence employees working on the Project Ares prototype, which was eventually adopted by government and military agencies who were looking for better ways to train their cyber operators. Fast forward to today, Randy is leading the Project Ares team to redesign the architecture to scale within Microsoft Azure.  The goal is to provide private sector enterprises the same cutting-edge opportunity to train their cyber teams of any size and location on a gamified range—persistently, authentically, with flexibility and relevant to their specific cyber readiness needs. And Randy has been there through it all!

Today Randy mentors the engineering team at Circadence and helps them identify and collate standards around how the company’s products’ code is written and tested. He also helps identify what technologies to use and evaluates the technical feasibility of using new tech in the products themselves.

“Researching and learning new technology and staying on the cutting-edge is one of the most exciting parts of my job,” said Randy. “I see so much potential for Project Ares…so much promise…and being able to build out complicated networks in the cloud is a welcomed challenge for me.” he added.

Fellow Designation Reflected in Technical Capabilities within Project Ares

Randy’s contributions have been celebrated with a promotion to an Engineering Fellow, a significant career milestone that honors his achievements, expertise, and technical leadership to Project Ares, Circadence, and the cyber security industry as a whole.  The well-deserved recognition clearly stems from the fact that Randy never stops learning! He recently completed his Azure architecture certification exam, which helps him contribute to transitioning Project Ares to run on Microsoft Azure intelligent cloud.

“Project Ares’ ability to scale across regions is even more prevalent now thanks to Microsoft Azure,” said Randy. “The usability, the functionality, and its capability to connect across multiple locations and look like one single installation will be very beneficial to enterprise and government entities looking to scale their cyber training efforts effectively.”

A professional motto that drives Randy’s belief in continuous innovation in Project Ares is “Every time we change code, we should improve it.” It is this technical philosophy that has kept Randy and the Circadence engineering team on their toes and moving at pace to meeting market demands for scalable cyber training experiences.

Evolving Cyber Training to Scale for Customers

Randy’s current project lies in Project Ares.Next, an evolution of Project Ares from an on-premise application to a true cloud native SaaS platform that fully exploits the advantages of the cloud computing model.  Many of the cloud native improvements for Project Ares will be “under the covers”.  But customers will see performance improvements in mission virtual machines and new cyber curriculum will be able to be added to the platform more expeditiously. Project Ares users who want to train their teams from anywhere in the world will be able to do so persistently, without compromising user experience and impacting mission load times, etc.

As Project Ares evolves, we start to adapt to Go and Google standards and Kubernetes standards,” said Randy. “We’ve been working closely with Microsoft engineering teams on how we use the Azure Cloud most effectively and efficiently,” he adds.

The work of Randy and his teams is technical in nature and we greatly appreciate the level of knowledge and expertise they have to ensure Project Ares stays on the cusp of cyber training market demands using the latest technology to automate and augment the cyber workforces of tomorrow. We are grateful for their work to make Project Ares better every day as they use their talents to inform what our customers experience in the platform.

Learn Project Ares, including recent mission and battle room updates!

Photo by Markus Spiske on Unsplash
Photo by John Schnobrich on Unsplash

Living Our Mission: Learning is Built into Project Ares, Thanks to Victoria Bowen, Instructional Designer at Circadence

Reading Time: 3 minutes

Victoria Bowen has worked in the instructional design field for about 35 years – primarily developing e-learning with a smattering of web development, SharePoint development, and Learning Management System administration. She holds an undergrad degree is in psychology, a master’s in special education, and doctorate in curriculum, instruction, and supervision with emphasis on instructional design.  What that means is that she knows how people learn and what aids and interferes with learning in training products. Victoria worked an IT security services company and then transitioned to a training role with the Air Force’s Cyberspace Vulnerability Assessment/Hunter (CVAH) weapon system. “I was responsible for the training database and the app store for several versions of CVAH.  I also developed user guides and training materials,” she said. Victoria served in that role for about nine months before joining the Circadence team.

Since September 2013, Victoria’s main job as an instructional designer has been to analyze training needs for Circadence products. She helps assess target audiences for Circadence products to determine learning goals and objectives for the product designers. She establishes the behaviors that a user would be assessed against, after engaging with the product, to ensure learning has occurred. Victoria also suggests ways to evaluate those behaviors to optimize product utility. In doing so, she prepares training outlines and documentation and writes content development processes and learning paths. Mapping Job Qualification Requirements (JQRs) tasks to training tasks is a regular function of Victoria’s job alongside mapping National Institute of Standards and Technology (NIST) standards to training tasks. She ensures the core skills addressed in our curriculum creation tool Orion™ align to defined NIST standards.

Applying instructional design theory to new technology

What keeps Victoria returning to her desk every day is the challenge of learning and applying instructional design theory to cutting edge training technology. Although the old rules still apply, Circadence is leading the way in developing new rules and research on how learning happens and best practices for simulations like Project Ares®. We know a lot about constructivism as an underlying theory, but to apply it gaming environments like Project Ares is new and fascinating,” she says.

The challenge of applying theory to technology is complicated by the fact that new books about instructional design and cognitive analysis and processing are published frequently. And there are new online articles every month. Also, there is a growing emphasis on instructional analysis before beginning training development projects, so there is a growing emphasis on analytical skills for instructional designers. These skills help us design the right training, just enough training, and just in time training for learners.

“Ensuring we are constructing an environment in which the player is constantly learning, not just performing a task or activity is essential.  We need the player to understand the what, when, how, and why related to the tasks they perform in the environment.  For deeper learner and better retrieval from long term memory, we also need the player to understand how their tasks relate to each other.” Victoria says. “Furthermore,” she adds, “we want the player’s understanding and performance to progress from novice to intermediate to expert. That doesn’t happen just by repetition. There must be instruction too.”

Instructional design within Project Ares

For the Project Ares Battle Rooms and Missions, Victoria collaborates with cyber security subject matter experts to write the learning objectives and assessment criteria, provide role-based learning content outlines, identify gaps and redundancies in content, and review product design to ensure high quality instructional design aspects. For inCyt™, she’s written the scripts for several of the cyber security lessons. Finally, Victoria also reviews and identifies instructional design issues such as scrolling text and text display not controlled by the user, “both of which interfere with cognitive processing by the user and adversely affect transfer from short term to long term memory,” she adds.

“I have a different challenge every day and I like challenges. I’m also fascinated by cyber security and enjoy learning more about it every day. Instructional research has consistently supported that interactivity is the most important component of instruction regardless of delivery method. We have a very interactive environment and that’s great for retention and transfer of learning to real world application.”

Victoria’s passion for intelligent learning systems dates back to her time in school. “When I was a poor graduate student at the University of Georgia, I paid around $25 a month in overdue fees to the library so I could keep the AI books I checked out longer. (Once they were turned in, professors usually got them and could keep them up to a year.) There were only about 25 books on that topic at the time. Today, it is remarkable to see what our AI team can do with Athena.”

Why persistent cyber training matters

The cyber world is changing very fast. People need to learn constantly to keep up with their job requirements. Cyber challenges are not about cookie cutter solutions. It’s important that the cyber operator learns cyber problem solving, not just cyber solutions. By jumping into a training program and being able to craft different approaches to solving problems and test those approaches, the cyber professional can learn skills that directly help them do better on the job. Plus – a big plus – the training is fun!

Living our Mission: Creating Authentic Cyber Training and Learning Environments Inspired by Real-World Experience: Todd Humes, Sr. Mission Designer

Reading Time: 2 minutes

Bringing his Air Force and military security engineering background to use, Senior Mission Designer Todd Humes understands what it takes to defend networks from adversaries. Prior to Circadence, he served in various government security roles including as a Systems Security Engineer and Systems Administrator and on the commercial side as a Director of Network Defense Operations at a Managed Security Service Provider. He noticed a gap in commercial cyber training and readiness that eventually lead him to Circadence.  

In his current role, Todd ensures that real-world training exercises developed meet critical training objectives and are authentic for the end-user. “We want to provide a safe place for trainees to learn cyber…so he/she doesn’t have to worry about causing damage on actual networks when trying to build skills,” he says.  

It’s important trainees in Project Ares experience true-to-life cyber threat scenarios that they would in their actual workplace.

In “mimicking a controlled environment that they would see” in the workplace, trainees gain “an experience that is highly relatable and allows for professional development,” Todd says.  

When developing new missions Todd and his team examine market verticals and threats associated with those industries to identify unique scenarios that can be built out in a Project Ares mission. “We do our own research and threat intelligence targeting verticals, brainstorm specific scenarios and begin designing what the network environment should look like,” he says. The automation and orchestration of how the mission will unfold require a great deal of programming. Between building the mission components, the layout, and the services that will be “affected” in the exercise, Todd and his team bring cyber threats to life in the most authentic way possible. Sometimes, he adds, “we have to reverse engineer the malware [for example] to get the capability we want,” adding layers of complexity and back-end work to produce the final product.  

But the intricacies of building missions is anything but dull. “It’s never boring! We’re always learning day in and day out and the people who are successful in this field are the individuals who continue to learn themselves,” Todd says.

To ensure missions stay relevant against today’s threats, Todd is always keeping a pulse on the latest research and vulnerabilities by studying online reports and attending cyber conferences and industry-related events to network with like-minded leaders.  

He believes by continuously learning about the industry, all professionals in this line of work and beyond can find new and better ways to address an exploit and stay one (or several) steps ahead of hackers. He considers cyber security one the few industries and specializations that requires persistent learning and skill building in order to “extend the life” of security across organizations and companies.   

Learn Project Ares, including recent mission and battle room updates here.   

How Cyber Security Can Be Improved

Reading Time: 5 minutes

Every day we get more interconnected and that naturally widens the threat surface for cybercriminals. In order to protect vulnerabilities and keep pace with hacker methods, security – and non-security professionals must understand how to protect themselves (and their companies). And that involves looking for new ways to improve cyber security. To start, we believe cyber security can be improved by focusing on three areas: enterprise-wide cyber awareness programs, within cyber teams via persistent training, and in communication between the C-suite and the CISO. Check out our recommendations below and if you have a strategy that worked to improve cyber security in your company or organization, we’d love to hear about it.

Company-Wide Security Awareness Programs

Regardless of company size or budget, every person employed at a business should understand fundamental cyber concepts so they can protect themselves from malicious hackers. Failure to do so places the employee and the company at risk of being attacked and could result in significant monetary and reputation damages.

Simple knowledge of what a phishing email looks like, what an unsecured website looks like, and implications of sharing personal information on social media are all topics that can be addressed in a company-wide security program. Further, staff should understand how hackers work and what kinds of tactics they use to get information on a victim to exploit. Reports vary but a most recent article from ThreatPost notes that phishing attempts have doubled in 2018 with new scams on the rise every day.

But where and how should companies start building a security awareness program—not to mention a program that staff will actually take seriously and participate in?

We believe in the power of gamified learning to engage employees in cyber security best practices.

Our mobile app inCyt helps novice and non-technical professionals learn the ins and outs of cyber security from hacking methods to understanding cyber definitions. The game allows employees to play against one another in a healthy, yet competitive, manner. Players have digital “hackables” they have to protect in the game while trying to steal other player’s assets for vulnerabilities to exploit. The back and forth game play teaches learners how and why attacks occur in the first place and where vulnerabilities exist on a variety of digital networks.

By making the learning fun, it shifts the preconceived attitude of “have to do” to “want to do.” When an employee learns the fundamentals of cyber security not only are they empowering themselves to protect their own data, which translates into improved personal data cyber hygiene, but it also adds value for them as professionals. Companies are more confident when employees work with vigilance and security at the forefront.

Benefits of company-wide security awareness training

  • Lowers risk – Prevents an internal employee cyber mishap with proper education and training to inform daily activities.
  • Strengthens workforce – Existing security protocols are hardened to keep the entire staff aware of daily vulnerabilities and prevention.
  • Improved practices – Cultivate good cyber hygiene by growing cyber aptitude in a safe, virtual environment, instead of trial and error on workplace networks.

For more information about company-wide cyber learning, read about our award-winning mobile app inCyt.

Persistent (Not Periodic) Cyber Training

For cyber security professionals like network analysts, IT directors, CISOs, and incident responders, knowledge of the latest hacker methods and ways to protect and defend, govern, and mitigate threats is key. Today’s periodic training conducted at off-site training courses has and continues to be the option of choice—but the financial costs and time away from the frontlines makes it a less-than-fruitful ROI for leaders looking to harden their posture productively and efficiently.

Further, periodic cyber security training classes are often dull, static, PowerPoint-driven or prescriptive, step-by-step instructor-driven—meaning the material is often too outdates to be relevant to today’s threats—and the learning is passive. There’s minimal opportunity for hands-on learning to apply learned concepts in a virtualized, safe setting. These roadblocks make periodic learning ineffective and unfortunately companies are spending thousands of dollars every quarter or month to upskill professionals without knowing if it’s money well spent. That’s frustrating!

What if companies could track cyber team performance to identify gaps in security skills—and do so on emulated networks to enrich the learning experience?

We believe persistent training on a cyber range is the modern response for companies to better align with today’s evolving threats. Cyber ranges allow cyber teams to engage in skill building in a “safe” environment. Sophisticated ranges should be able to scale as companies grow in security posture too. Our Project Ares cyber learning platform helps professionals develop frontier learning capabilities on mirrored networks for a more authentic training experience. Running on Microsoft Azure, enterprise, government and academic IT teams can persistently training on their own networks safely using their own tools to “train as they would fight.”

Browser-based, Project Ares also allows professionals to train on their terms – wherever they are. Artificial intelligence via natural language processing and machine learning support players on the platform by acting as both automated adversaries to challenge trainees in skill, and as an in-game advisor to support trainee progression through a cyber exercise.

The gamified element of cyber training keeps professionals engaged while building skill. Digital badges, leaderboards, levels, and team-based mission scenarios build communicative skills, technical skills, and increase information retention in this active-learning model of training.

Benefits of persistent cyber training

Gamifying cyber training is the next evolution of learning for professionals who are either already in the field or curious to start a career in cyber security. The benefits are noteworthy:

  • Increased engagement, sense of control and self-efficacy
  • Adoption of new initiatives
  • Increased satisfaction with internal communication
  • Development of personal and organizational capabilities and resources
  • Increased personal satisfaction and employee retention
  • Enhanced productivity, monitoring and decision making

For more information about gamified cyber training, read about our award-winning platform Project Ares.

CISO Involvement in C-Suite Decision-Making

Communication processes between the C-suite and CISO need to be more transparent and frequent to achieve better alignment between cyber risk and business risk.

Many CISOs are currently challenged in reporting to the C-suite because of the very technical nature and reputation of cyber security. It’s often perceived as “too technical” for laymen, non-cyber professionals. However, it doesn’t have to be that way.

C-suite execs can understand their business’ cyber risks in the context of business risk to see how the two are inter-related and impact each other.

A CISO is typically concerned about the security of the business as a whole and if a breach occurs at the sake of a new product launch, service addition, or employee productivity, it’s his or her reputation on the line.

The CISO perspective is, if ever a company is deploying a new product or service, security should be involved from the get-go. Having CISOs brought into discussions about business initiatives early on is key to ensuring there are not security “add ons” brought in too late in the game. Also, actualizing the cost of a breach on the company in terms of dollar amounts can also capture the attention of the C-suite.

Furthermore, CISOs are measuring risk severity and breaking it down for the C-suite to help them understand the business value of cyber.  To achieve this alignment, CISOs are finding unique ways to do remediation or cyber security monitoring to reduce their workloads enough so they can prioritize communications with execs and keep all facets of the company safe from the employees it employs to the technologies it adopts to function.

Improving Cyber Security for the Future

Better communications between execs and security leaders, continual cyber training for teams, and company-wide cyber learning are a few suggestions we’ve talked about today to help companies reduce their cyber risk and harden their posture. We’ve said it before and we will say it again: cyber security is everyone’s responsibility. And evolving threats in the age of digital transformation mean that we are always susceptible to attacks regardless of how many firewalls we put up or encryption codes we embed.

If we have a computer, a phone, an electronic device that can exchange information in some way to other parties, we are vulnerable to cyber attacks. Every bit and byte of information exchanged on a company network is up for grabs for hackers and the more technical, business, and non-technical professionals come together to educate and empower themselves to improve cyber hygiene practices, the more prepared they and their company assets will be when a hacker comes knocking on their digital door.

Photo of computer by rawpixel.com from Pexels

Top 10 Cyber Myths

Reading Time: 1 minute

The top cyber security myths CISOs and security professionals fall victim to. Empower yourself with persistent training and skill building instead.