The top cyber security myths CISOs and security professionals fall victim to. Empower yourself with persistent training and skill building instead.
Introducing girls to the world of cyber security and empowering their access to this STEM discipline is incredibly important to Circadence as we advocate for a cyber workforce with diversified thinking and problem-solving perspectives to keep pace with today’s adversaries. In mid-May, Circadence was honored to host 12 Brownies from a local Girl Scout troop at our San Diego office to help them earn their cyber security badges. Some of Circadence’s own family members are involved with the local troop and several co-workers facilitated a series of workshops for the girls to teach aspects of cyber security including cryptography, spamming, and virus detection.
Circadence’s Raeschel Reed, software engineer, taught the group about Cryptography and showed them how to use a Caesar Cypher to encrypt messages. The girls worked in groups of two to encrypt their favorite food and color. Then, they traded messages with each other and worked to decrypt the messages.
The group also learned about spotting fake emails and about using photo filters and editing pictures from Shirley Quach, Software Engineer at Circadence. Girls broke into groups and presented their comparison arguments for which photo was real and which was fake.
Yadhi Marquez-Garcia, DevOps engineer, taught a section about what a digital footprint is and how we should only share positive and not personal information. The girls wrote down all of the websites, games, and online services they interact with in order to learn about their own digital trail and “see” where they have been online. This helped them be much more conscientious and intentional about sites they visit online and the implications of their online activity.
Digital viruses and how they spread was another topic of discussion that included a hands-on activity. Domonique Lopez, office operations manager, led the girls through an exercise where they shook hands with as many people as they could in two minutes and then pulled a card out of a bucket. The girl who pulled the card out was deemed “the virus” and the other girls quickly realized they were likely “infected” because most had touched her either directly or indirectly. Domonique and the girls then discussed ways to limit exposure to viruses while online. The underlying lesson was that viruses can spread quickly if you aren’t careful about what websites you “shake hands” with.
Complementary to that topic, Kate Dionisio, software engineer, applied the concept of viruses to computer networks. She discussed about how malicious viruses are designed to disrupt computer systems and explained how ransomware attacks work. The girls gathered in a group and tried to pass a message from one to another (a game of “telephone”) while 3 disrupters shouted and tried to stop the message. Then they did the same thing but with 6 disrupters! This led into a discussion about how some viruses will overload a server with requests and stop messages from going where they need to go.
Finally, the girls formed teams of two to play inCyt, Circadence’s new cyber awareness game designed to help anybody learn basic cyber concepts similar to the ones that the troop had been learning about. Volunteers helped the girls understand how the cyber topics they’d been learning about applied to cyber attacks they were playing with on inCyt.
“When interacting with inCyt the girls were excited to get a chance to play a game. They loved picking their hackables and choosing a name. They got really excited when they were successful at sending a hack and loved the music. When talking with each other and volunteers they did a great job of connecting what they were doing with our discussions about digital trails and clicking suspicious links. I think they walked away more engaged than if we had just given them a lecture on the content,” said Domonique.
Circadence is pleased to host opportunities like this to engage the next generation and improve their cyber awareness. There is a significant cyber skills gap today and while these young girls won’t be entering the workforce soon, we hoped they learned that cyber security isn’t scary and is a field they could consider someday. In the meantime, we’re glad that they might be a little safer online.
Policy makers are now prioritizing data security over talent, efficiency and controlling costs. As students growing up and being educated in the digital age, we are just starting to understand the importance of cyber security to individuals and their companies. Taking part in a Research Associate Internship on campus at Nichols College, our eyes have been opened to the vast number of threats we face on a daily basis.
Oracle conducted a study titled “Security in the Age of Artificial Intelligence,” where 341 C-Suite executives and 110 policy makers were asked of their plans to improve their company’s security in the next two years. The top answer from this sample was to train existing staff. Human error poses the greatest risk to these companies (Oracle). In order to mitigate this risk, it is imperative to understand the opportunity cost of training employees on the importance of cybersecurity. Prioritizing training would prevent small mistakes, potentially costing a company much more in the long run.
A Nichols College Associate Professor of Accounting and Finance, Bryant Richards, noticed a gap in cyber security education, wanting to bring cyber to campus in a big way, stating “As cyber risks have become ubiquitous throughout the industry, it is our responsibility to provide some degree of cyber literacy to our business students. We must train our accounting students to be data and technology professionals who understand accounting. The realistic and experiential nature of Project Ares matches how our students learn and provides a transformative learning experience.” Richards along with the two of us, helped Nichols partner with Circadence to complete a three-month pilot program of their gamified cybersecurity learning platform Project Ares.
What We Found: Circadence did a great job with Project Ares, with an appealing, gamified user interface that sucks you in and is easy to use. As a student with no technical experience in the cybersecurity field, Project Ares proved to be both engaging and challenging. It provided an abundance of resources through its Media Center and Mini Games. Users can obtain a base layer of knowledge, progressing into education on concepts like the Cyber Kill Chain and how hackers utilize it. The interactive Battle Rooms provide real-life, technical lab environments where users can spin up virtual machines, explore real-world tools, build their confidence, and hone their skills.
What We Learned: You do not have to be a professional hacker to steal someone else’s information or gain access to their computer. Understanding the code is no longer enough; this is much more than an individual problem. If your own device is compromised, the hacker can steal your personal information, and steal information from your employer and worse. This harsh reality surprised us when we first commenced our research. From clicking a wrong link in an email, to accidentally tapping an advertisement banner on your phone; these small errors can seem harmless but are really detrimental to your overall security.
The gamification of cybersecurity training has allowed those of us with no prior knowledge, a chance to get a leg up. With increased demand to train existing staff, new training approaches must be made for the next generation of cybersecurity specialists. Gamifying the process made it easily digestible, directly benefitting any potential company or individual.
The first step in becoming educated on cybersecurity is understanding that there are threats present in our everyday lives. In the words of the man who gave us our initial walkthrough of Project Ares, Brad Wolfenden compared cybersecurity to buying a gallon of milk, saying:
“I believe that part of the disconnect around cybersecurity best practices comes from the assumptions we make as consumers in general – that what we’re buying is designed and sold with our best interests, and security, in mind … The food you buy and eat is certified by the Food & Drug Administration to indicate it has been safely grown/ raised and suitable for human consumption. When making technology purchases, we cannot take these same conveniences for granted.”
It is everyone’s ‘job’ to maintain high ethical standards and awareness when operating on the Internet nowadays. It is no longer up to one person or pre-installed software to protect your personal information. The more we are educated on the basic underlying principles of cybersecurity, the safer we will all be.
Oracle. “SECURITY IN THE AGE OF AI .” Oracle, 2018, www.oracle.com/a/ocom/docs/data-security-report.pdf.
Wolfenden, Brad. “A Rising Tide Lifts All Boats: Celebrating National Cybersecurity Awareness Month.” Circadence, 30 Oct. 2018, www.circadence.com/national-cybersecurity-awareness-month/.
*Students R.J. LeBrun & Lorenzo Secola guest authored this blog post as part of their Research Associate Internship at Nichols College
What if someone told you that there was a new way to commute to work in the morning? A way that was more efficient than taking the highways or backroads to avoid traffic – a way that would allow you to save time, headaches and the dangers of driving altogether…you’d be interested, right? Maybe a little skeptical, certainly, but interested. So would we! Changing the way we think about a process or an act does not happen at the flip of a switch. We know that. However, the speed at which technology advances and new products and services hit the market with attempts to make our daily lives easier, faster, better requires us to be open to new ways of thinking about traditional approaches. In this blog, it’s about changing how we think about “cybersecurity training.”
While we can’t help you teleport to your office or lend you a flying car, the concept behind the “better way to commute” scenario is exactly what we at Circadence are advocating for—A new way to think about cybersecurity training and skills development. Now, we realize that might not be as “cool” as teleportation but hear us out.
When it comes to cybersecurity, we believe wholeheartedly that there is a better way to train cyber professionals on the latest tactics and techniques. Why? Current ways of developing professionals with “one-and-done” trainings in classroom settings aren’t working. How do we know this? Because businesses are still getting hacked every day. In 2018 alone, we saw a 350% increase in ransomware attacks and 250% in spoofing or business email compromise. If lecture-based, classroom setting, PowerPoint-driven training courses were working, we wouldn’t still be reading about breaches in our local and national news. Something new, something different has to be done.
Talk to your teams
People develop, use and control the technologies we have available to us. People are the mechanisms by which we execute certain security methods and procedures. People are the reason there are actual tools to help us stop threats. Talking to your team can help gain perspective on how they are feeling with their current workloads and where they want to improve professionally.
Without well-trained individuals who persistently learn new skills and find better (more efficient) ways to operationalize cyber processes and techniques, our businesses and our personal information will be exploited—it’s only a matter of time. While you may be thinking “I send my team to an off-site course and they learn new stuff every time” then great! We invite you to take the next step and talk to those teams about how they’re using what they’ve learned in everyday cyber practice. Sometimes the first step in adopting a new way of thinking about a process (in this case, cyber training), we need to talk to the people who actually experienced it (those with boots on the ground).
Talk to your teams about:
- their experience on-site at the training
- what their main takeaways were
- how they are applying learned concepts to daily tasks
- where they see gaps or “opportunities for improvement”
Listening to teams and asking objective questions like this can shed light on what’s working in your cyber readiness strategy and what’s not.
Reframe negative thoughts
Things that are new and different are disruptive and that can be scary for leaders looking for concrete ROI to tie to cyber readiness solutions. Forbes suggests reframing negative thoughts as well. In thinking about a new way to do cyber training, instead of “gamified cyber learning will never work,” come from a place of inquiry and curiosity instead. Reflect on what feelings or experiences are causing you to think negatively about a new way of doing something.
Ask objective questions like:
- What is gamification in the first place?
- What are the pros and cons of gamified learning?
- How could my team even adopt a gamified learning approach?
Understanding how something works or could work for your specific situation is the foundation for evaluating the merit of any new process or approach presented to you.
Know Today’s Cyber Training Options
How cyber training has been conducted hasn’t changed much in the past several years. Participation in courses require professionals to travel off-site to facilities/classrooms where they gather together to listen to lectures, view PowerPoint presentations and videos, and maybe engage in some online lab work to “bring concepts to life.”
Travel costs incur, time away from the frontlines occurs, and learners often disengage with material that is passively delivered to them (only 5% of information is retained with passive-learning delivery).
One of the biggest gaps in cyber training is that there isn’t a way to effectively measure cyber competencies in this traditional method. The proof is in the performance when professionals return to their desks and attempt to identify incoming threats and stop them. That absolute, black and white, way of measuring performance is too risky for businesses to stake their reputation and assets on.
Leaders who send their teams to these trainings need to know the following:
1) what new skills cyber teams have acquired
2) how their performance compares to their colleagues
3) what current skills they have improved
4) what cyber activities have they completed to demonstrate improvement/progression
Today’s off-site trainings don’t answer those questions until it’s too late and a threat has taken over a network. Professionals can “see” really quick when a learned skill doesn’t translate to real life.
Embrace the journey of learning
There is a better way to train professionals and it can happen with gamification. But don’t let us be your only source of truth. Talk to people. Listen to their experiences training traditionally and hear firsthand what they want out of a skill building opportunity. Read the latest research on gamification in the corporate workplace. Then, make connections based on the intel you’ve gathered to evaluate if gamification is right for your organization’s professional development approach.
We’ll be here when you’re ready to dive deeper into specific solutions.
What is immersive, gamified cybersecurity learning? The term was originally coined in 2002 by a British computer programmer named Nick Pelling. The term hit the mainstream when a location-sharing service called Foursquare emerged in 2009, employing gamification elements like points, badges, and “mayorships” to motivate people to use their mobile app to “check in” to places they visited. The term hit buzzword fame in 2011 when Gartner officially added it to its “Hype Cycle” list. But gamification is more than a buzz word. Companies have seen gamification work for them in cyber team training—so we thought it wise to take what is working and apply it at the earlier stages of career development—in the classroom.
At Divergence Academy, we are proud to offer a curriculum that embraces blended cyber learning to cultivate students and transitioning professionals who are ready to enter the workforce and stop today’s cyber threats.
We offer data science, cybersecurity, and cloud computing immersive learning programs that enable students to gain the knowledge and skills needed to work in any of those fields. Many of our courses offer a mix of concept-driven learning and application-driven learning so that students understand new knowledge and, in turn, apply that knowledge in skill building, project-based activities. Through working with messy, real-world data and scenarios, students gain experience across the entire technology spectrum.
Studies find when learners engage in active learning, hands-on activities, their information retention rates increase from 5% (with traditional, lecture-based methods) to 75%. The millennial generation presents radically different learning preferences than previous generations. Thus, educational institutions across the country should consider gamification as a pedagogical technique in the classroom. A study from the University of Limerick notes:
Gamified learning activities could become an integral part of flipped teaching environments. Their social, asynchronous nature can be used to prompt students to engage with pre-prepared content, while gamified learning activities can be used in the classroom to prompt student interaction and participation.
In watching our students engage with gamified activities, we see team-building blossom before our eyes. We see instant collaboration and problem-solving and critical thinking emerge. Those kinds of soft skills can’t always be taught in a traditional lecture-based setting and because of that, it is critical that we continue to offer a healthy mix of concept-driven learning with gamified learning opportunities to our students so that they can enter the workforce with a more holistic understanding of the industry.
Cybersecurity has become a captivating and engaging subject matter for students, which is fantastic as those words aren’t typically associated with the technical field.
“Wow, today we were introduced to Project Ares. Captivating is the best description I can think of. It is like ‘Call of Duty’ for cybersecurity.”
~ Divergence Academy Student, 24 years old
Fellow professors and instructors are looking for ways to make cybersecurity more interesting and attractive to students and we believe at Divergence, the gamified learning approach can help. It is an approachable way for students to engage with a field they may be completely unfamiliar with and it supports instructors by offering a course that students WANT to take.
“We notice an increase in student engagement in the classroom with the introduction of Project Ares. Gamification brings an element of intrigue and satisfaction to the learning experience.”
~ Beth Lahaie, Program Director
We hope our adoption and proven success of a blended learning approach is the nudge other institutions around the globe need to consider its power in building the next generation of cybersecurity professionals.
It’s one thing to talk about the importance of teaching cybersecurity in an engaging way, and another thing to actually do it. Divergence Academy is proud to partner with Circadence to reimagine how cybersecurity is taught to current and aspiring professionals.
About Divergence Academy
Divergence Academy is an education institution creating adaptive learning solutions to empower individuals to pursue the work they love on the most relevant skills of the 21st century – from web development to data science to product management. It was established in 2014 as the first Data Science school in the Dallas/Fort Worth area school that used a hybrid approach to learning. It offers immersive and weekend programs for working professionals, college grads and transitioning workers.
In early 2017, the academy grew to partner with leading cybersecurity organizations including E.C. Council and CompTIA to offer certified learning for students. However, it found that the curriculum was missing something—a “WOW” factor—a platform where learning could be managed and developed using a more hands-on approach, allowing students to level up and reinforce the skills they were learning towards certification.
A Gamified Approach to Cyber Learning
In realizing that we needed a more robust learning platform that complemented the certifications we offered, we were introduced to Circadence, a market leader in cybersecurity readiness, known for its Project AresÒ cyber range solution. It incorporated gamification into every aspect of the learning process, which encouraged students to progress through real-world exercises at their own pace and with a level of engagement unseen in previous traditional course sessions.
Finding Project Ares put us on the map as an institution that put learning to work and it showed that we are not just an AI school but a school that teaches what we preach!
The Class: Cybersecurity Professional Penetration Tester
We launched our 12-week class using Project Ares in early February 2019. The program is a 400-hour course delivered over 2 weekday evenings and Saturday to prepare students for the role of Certified Ethical Hacker. We have a mix of students from mathematicians to software engineers to IT students all with varying levels of knowledge of cybersecurity, but anxious to learn.
In Project Ares, students are able to identify “learning moments” where they begin to connect the dots on how a cyber concept is applied to a real scenario. They try to solve problems together, which is exactly what a real cybersecurity job would require.
Not only are students learning industry-wide technical competencies such as information assurance, risk management and incident detection but also workplace competencies like teamwork, planning and organizing, problem-solving, and more. In preparing for a CEH role, students engage in the battle rooms, learning foundational skill sets and then apply them to a methodology in the missions. Skills like system hacking are learned in Missions 8-10, 12, and 13, and enumeration in Mission 1, and reconnaissance in Mission 1.
The feedback from them is reassuring that Divergence Academy and Circadence are a powerful partner. We hear they enjoy collaborating with their peers in exercises within the platform and they kind of form their own “tribes” if you will and that’s the beauty of gamified learning. It really teaches these students how to work together, build soft skills, and technical skills needed for today’s workforce.
The Impact of Project Ares
Project Ares has allowed our instructors to really focus on our student’s performance. The automated, in-game advisor Athena within Project Ares helps students progress from activity to activity and solve problems quicker, which helps instructors prioritize the pace of learning from all students and in using the trainer view in Project Ares, see where the skills gaps are and how to better inform the exercise content to meet the individual needs of the students. Further, the automatic scoring and badging in the platform coupled with the media center allows instructors to easily align course curriculum with the platform’s games, whether it’s in a mission, a battle room, or through a mini-game.
A Vision Come to Life
Divergence Academy is excited to build a network with local community colleges in the Dallas/Fort Worth area in order to help upcoming graduates and faculty see us as a school that takes student learning to new levels—applied levels—practical levels that are relevant to the workforce. We hope local schools see our trade school as the next step in their learning journey to cybersecurity professionalism and understand that they will be able to get hands-on skill building (or upskilling) and practical experience.
To learn more about Divergence Academy and how they’re using Project Ares to support student learning, visit https://divergenceacademy.com/.
Last week I was lucky enough to be able to attend Circadence’s Cyber Learning Tour at the Microsoft Technology Center in Chicago. This event was hosted by Laura Lee, VP of Rapid Prototyping, and one of the lead creators of the Project Ares training platform.
The opportunity to attend this event and hear from the brains behind Project Ares was an eye-opening experience for me. The passion that Laura spoke with was something that I could relate to. As someone who personally advocates for introducing more people to information technology and more specifically cybersecurity, it was amazing to hear Laura Lee talk about how she utilizes Project Ares in schools as early as middle school to educate students on not only the importance of cybersecurity but also real-world scenarios. Hearing Laura talk about kids using Metasploit, Nmap, Wireshark and learning how to defend simulated cyber-attacks or infiltrating networks with Project Ares is taking learning to a whole new level.
One of the more interesting topics Laura brought up about the platform is the scoring capability and how it works within the learning environment. She often finds students begin competing against each other on the platform by going through missions and assessments over and over again to see who can get the better score. This brings another avenue of excitement and energy to cybersecurity that could lead to more exposure with things such as e-sports using Project Ares.
The fact that Circadence has created a learning environment that brings gamification, cybersecurity, and training to the same platform is ground-breaking to me. Here is a platform that will simulate real-world scenarios like bank networks, power grids, and other enterprise networks and you either must attack (red team) or defend (blue team) using real-world skills and tools. If you’re a rookie at cybersecurity, Project Ares offers a variety of battle rooms and assessments that will help get you up to speed.
To hear more about why gamification and AI-powered cyber learning is the future of cybersecurity skill building, check out one of their other Cyber Learning Tour stops here: https://marketing.circadence.com/acton/media/36273/cyber-learning-tour-with-microsoft.
Follow Zach’s YouTube Channel I.T. Career Questions for all things cybersecurity learning and development here: https://www.youtube.com/channel/UCt-Pwe2fODjH4Wuwf5VqE7A.
There is a hacker attack every 39 seconds. The average cost of a data breach in 2020 is expected to exceed $150 million. And by 2021, there will be more than 3.5 million unfilled cybersecurity jobs worldwide. No enterprise is safe from an attack.
Because of that, CISOs realize as they evolve business operations to better serve customers, such progression has unintended security consequences and compromises. With strapped resources (both human and financial), how can CISOs in commercial sectors DO MORE to up their cybersecurity posture WITH LESS? The answer lies in the human-power to control systems, processes, and technologies.
CISOs in every industry realize technologies and “one-and-done traditional training” cannot keep companies safe—but with the properly skilled individuals taking the reins to leverage those technologies optimally, the human-side of cybersecurity can minimize the skills gap and frequent attacks.
We’ve taken the liberty of publishing several articles to help CISOs “do more with less” to strengthen their cybersecurity posture. We understand you’ve spent lots of time and resources developing your teams. And they’re doing the best they can with the resources they have. Still, to amplify their success, ongoing training can help—and we hope these articles help, too.
- Help wanted: Combatting the Cybersecurity Skills Shortage
- Modernizing Cyber Ranges for Professional Learning
- How to Tell if your Cyber Posture is Prone to an Attack
- Cybercrime Incidents in the Financial Services Sector
- Why We Can’t Keep Ignoring Cyber Fatigue
- How Continuous Learning Can Help Upskill Cyber Teams
- Why Gamification is the Answer You’ve Been Looking For
- The Benefits of Active Learning in Cyber Training
Growing Cybersecurity Challenges
CISOs and their teams are challenged to keep pace with evolving cyber threats due to staffing shortages, resource constraints, strategy misalignment. Not to mention the continuous threat of attacks on industries with interconnected technologies. In fact, 70% of cybersecurity professionals claim their organization is impacted by the skills shortage; With spending expected to exceed $1 trillion between 2017 and 2021 and 74% of C-suite executives failing to involve CISOs the leadership table, this makes the job of the CISO incredibly difficult. That is why Circadence is dedicated to helping CISOs DO MORE WITH LESS—because we understand the arduous uphill climb they face (and will continue to face) if something is not done.
Hungry for more help? Download our 3 A’s INFOGRAPHIC to learn more ways to support your cyber team against imminent threats.
There’s Still Time to Up Your Cybersecurity Posture
If cyber teams cannot upskill and keep pace with evolving threats, commercial sectors will continue to be hacked. Customers will not only lose trust in these institutions that aim to protect them and make their daily lives functional, but they simply won’t be able to operate efficiently, economies will suffer, and more.
However, for enterprises that have experienced an attack, it’s not too late to invest in cyber training to prevent another. Doing nothing after an attack is the worst possible response. With failure comes opportunity to enhance resiliency on both a company-wide level, as well as at an employee-specific level. Investing in training tells hackers the attack attempt stops at its people first.
For enterprises that have not experienced an attack, it’s not a matter of “if” but “when” it will occur. Digitalization and limited human resources make company’s front lines vulnerable and appealing to hackers. Now is the time to be proactive and empower cyber teams to train against hackers in a way that doesn’t require time-consuming travel, expenses, and other resources—simply a willingness to learn, grow, and upskill to better the company and themselves.
Circadence wants to change how cyber professionals prepare for, protect, and defend against evolving cyber threats. We hope these, and future resources will help CISOs and cybersecurity leaders take proactive steps to strengthen their cybersecurity posture by training their teams and their entire organization, without the costly burden of traditional training courses.