How Cyber Security Can Be Improved

Every day we get more interconnected and that naturally widens the threat surface for cybercriminals. In order to protect vulnerabilities and keep pace with hacker methods, security – and non-security professionals must understand how to protect themselves (and their companies). And that involves looking for new ways to improve cyber security. To start, we believe cyber security can be improved by focusing on three areas: enterprise-wide cyber awareness programs, within cyber teams via persistent training, and in communication between the C-suite and the CISO. Check out our recommendations below and if you have a strategy that worked to improve cyber security in your company or organization, we’d love to hear about it.

Company-Wide Security Awareness Programs

Regardless of company size or budget, every person employed at a business should understand fundamental cyber concepts so they can protect themselves from malicious hackers. Failure to do so places the employee and the company at risk of being attacked and could result in significant monetary and reputation damages.

Simple knowledge of what a phishing email looks like, what an unsecured website looks like, and implications of sharing personal information on social media are all topics that can be addressed in a company-wide security program. Further, staff should understand how hackers work and what kinds of tactics they use to get information on a victim to exploit. Reports vary but a most recent article from ThreatPost notes that phishing attempts have doubled in 2018 with new scams on the rise every day.

But where and how should companies start building a security awareness program—not to mention a program that staff will actually take seriously and participate in?

We believe in the power of gamified learning to engage employees in cyber security best practices.

Our mobile app inCyt helps novice and non-technical professionals learn the ins and outs of cyber security from hacking methods to understanding cyber definitions. The game allows employees to play against one another in a healthy, yet competitive, manner. Players have digital “hackables” they have to protect in the game while trying to steal other player’s assets for vulnerabilities to exploit. The back and forth game play teaches learners how and why attacks occur in the first place and where vulnerabilities exist on a variety of digital networks.

By making the learning fun, it shifts the preconceived attitude of “have to do” to “want to do.” When an employee learns the fundamentals of cyber security not only are they empowering themselves to protect their own data, which translates into improved personal data cyber hygiene, but it also adds value for them as professionals. Companies are more confident when employees work with vigilance and security at the forefront.

Benefits of company-wide security awareness training

  • Lowers risk – Prevents an internal employee cyber mishap with proper education and training to inform daily activities.
  • Strengthens workforce – Existing security protocols are hardened to keep the entire staff aware of daily vulnerabilities and prevention.
  • Improved practices – Cultivate good cyber hygiene by growing cyber aptitude in a safe, virtual environment, instead of trial and error on workplace networks.

For more information about company-wide cyber learning, read about our award-winning mobile app inCyt.

Persistent (Not Periodic) Cyber Training

For cyber security professionals like network analysts, IT directors, CISOs, and incident responders, knowledge of the latest hacker methods and ways to protect and defend, govern, and mitigate threats is key. Today’s periodic training conducted at off-site training courses has and continues to be the option of choice—but the financial costs and time away from the frontlines makes it a less-than-fruitful ROI for leaders looking to harden their posture productively and efficiently.

Further, periodic cyber security training classes are often dull, static, PowerPoint-driven or prescriptive, step-by-step instructor-driven—meaning the material is often too outdates to be relevant to today’s threats—and the learning is passive. There’s minimal opportunity for hands-on learning to apply learned concepts in a virtualized, safe setting. These roadblocks make periodic learning ineffective and unfortunately companies are spending thousands of dollars every quarter or month to upskill professionals without knowing if it’s money well spent. That’s frustrating!

What if companies could track cyber team performance to identify gaps in security skills—and do so on emulated networks to enrich the learning experience?

We believe persistent training on a cyber range is the modern response for companies to better align with today’s evolving threats. Cyber ranges allow cyber teams to engage in skill building in a “safe” environment. Sophisticated ranges should be able to scale as companies grow in security posture too. Our Project Ares cyber learning platform helps professionals develop frontier learning capabilities on mirrored networks for a more authentic training experience. Running on Microsoft Azure, enterprise, government and academic IT teams can persistently training on their own networks safely using their own tools to “train as they would fight.”

Browser-based, Project Ares also allows professionals to train on their terms – wherever they are. Artificial intelligence via natural language processing and machine learning support players on the platform by acting as both automated adversaries to challenge trainees in skill, and as an in-game advisor to support trainee progression through a cyber exercise.

The gamified element of cyber training keeps professionals engaged while building skill. Digital badges, leaderboards, levels, and team-based mission scenarios build communicative skills, technical skills, and increase information retention in this active-learning model of training.

Benefits of persistent cyber training

Gamifying cyber training is the next evolution of learning for professionals who are either already in the field or curious to start a career in cyber security. The benefits are noteworthy:

  • Increased engagement, sense of control and self-efficacy
  • Adoption of new initiatives
  • Increased satisfaction with internal communication
  • Development of personal and organizational capabilities and resources
  • Increased personal satisfaction and employee retention
  • Enhanced productivity, monitoring and decision making

For more information about gamified cyber training, read about our award-winning platform Project Ares.

CISO Involvement in C-Suite Decision-Making

Communication processes between the C-suite and CISO need to be more transparent and frequent to achieve better alignment between cyber risk and business risk.

Many CISOs are currently challenged in reporting to the C-suite because of the very technical nature and reputation of cyber security. It’s often perceived as “too technical” for laymen, non-cyber professionals. However, it doesn’t have to be that way.

C-suite execs can understand their business’ cyber risks in the context of business risk to see how the two are inter-related and impact each other.

A CISO is typically concerned about the security of the business as a whole and if a breach occurs at the sake of a new product launch, service addition, or employee productivity, it’s his or her reputation on the line.

The CISO perspective is, if ever a company is deploying a new product or service, security should be involved from the get-go. Having CISOs brought into discussions about business initiatives early on is key to ensuring there are not security “add ons” brought in too late in the game. Also, actualizing the cost of a breach on the company in terms of dollar amounts can also capture the attention of the C-suite.

Furthermore, CISOs are measuring risk severity and breaking it down for the C-suite to help them understand the business value of cyber.  To achieve this alignment, CISOs are finding unique ways to do remediation or cyber security monitoring to reduce their workloads enough so they can prioritize communications with execs and keep all facets of the company safe from the employees it employs to the technologies it adopts to function.

Improving Cyber Security for the Future

Better communications between execs and security leaders, continual cyber training for teams, and company-wide cyber learning are a few suggestions we’ve talked about today to help companies reduce their cyber risk and harden their posture. We’ve said it before and we will say it again: cyber security is everyone’s responsibility. And evolving threats in the age of digital transformation mean that we are always susceptible to attacks regardless of how many firewalls we put up or encryption codes we embed.

If we have a computer, a phone, an electronic device that can exchange information in some way to other parties, we are vulnerable to cyber attacks. Every bit and byte of information exchanged on a company network is up for grabs for hackers and the more technical, business, and non-technical professionals come together to educate and empower themselves to improve cyber hygiene practices, the more prepared they and their company assets will be when a hacker comes knocking on their digital door.

Photo of computer by rawpixel.com from Pexels

Guest Blog: Embracing Immersive, Gamified Cybersecurity Learning, Featuring Divergence Academy

What is immersive, gamified cybersecurity learning? The term was originally coined in 2002 by a British computer programmer named Nick Pelling. The term hit the mainstream when a location-sharing service called Foursquare emerged in 2009, employing gamification elements like points, badges, and “mayorships” to motivate people to use their mobile app to “check in” to places they visited.  The term hit buzzword fame in 2011 when Gartner officially added it to its “Hype Cycle” list. But gamification is more than a buzz word. Companies have seen gamification work for them in cyber team training—so we thought it wise to take what is working and apply it at the earlier stages of career development—in the classroom.

At Divergence Academy, we are proud to offer a curriculum that embraces blended cyber learning to cultivate students and transitioning professionals who are ready to enter the workforce and stop today’s cyber threats.

We offer data science, cybersecurity, and cloud computing immersive learning programs that enable students to gain the knowledge and skills needed to work in any of those fields. Many of our courses offer a mix of concept-driven learning and application-driven learning so that students understand new knowledge and, in turn, apply that knowledge in skill building, project-based activities. Through working with messy, real-world data and scenarios, students gain experience across the entire technology spectrum.

Studies find when learners engage in active learning, hands-on activities, their information retention rates increase from 5% (with traditional, lecture-based methods) to 75%. The millennial generation presents radically different learning preferences than previous generations. Thus, educational institutions across the country should consider gamification as a pedagogical technique in the classroom. A study from the University of Limerick notes:

Gamified learning activities could become an integral part of flipped teaching environments. Their social, asynchronous nature can be used to prompt students to engage with pre-prepared content, while gamified learning activities can be used in the classroom to prompt student interaction and participation.

In watching our students engage with gamified activities, we see team-building blossom before our eyes. We see instant collaboration and problem-solving and critical thinking emerge. Those kinds of soft skills can’t always be taught in a traditional lecture-based setting and because of that, it is critical that we continue to offer a healthy mix of concept-driven learning with gamified learning opportunities to our students so that they can enter the workforce with a more holistic understanding of the industry.

Cybersecurity has become a captivating and engaging subject matter for students, which is fantastic as those words aren’t typically associated with the technical field.

“Wow, today we were introduced to Project Ares. Captivating is the best description I can think of. It is like ‘Call of Duty’ for cybersecurity.”
~ Divergence Academy Student, 24 years old

Fellow professors and instructors are looking for ways to make cybersecurity more interesting and attractive to students and we believe at Divergence, the gamified learning approach can help. It is an approachable way for students to engage with a field they may be completely unfamiliar with and it supports instructors by offering a course that students WANT to take.

“We notice an increase in student engagement in the classroom with the introduction of Project Ares. Gamification brings an element of intrigue and satisfaction to the learning experience.”
~ Beth Lahaie, Program Director

We hope our adoption and proven success of a blended learning approach is the nudge other institutions around the globe need to consider its power in building the next generation of cybersecurity professionals.

 

 

A Call to Diversify the Cybersecurity Workforce

You’ve read about it, know it well, and can probably instantaneously identify one of today’s top cyber crises: the cybersecurity skills gap. It’s putting enterprises, governments and academic institutions at greater risk than ever because we don’t have enough professionals to mitigate, defend, and analyze incoming attacks and vulnerabilities. According to recent estimates, we are looking at the possibility of having as many as 3.5 million unfilled cybersecurity positions by 2021. The widening career gap is due in part to the lack of diversity in the industry.

And we’re not just talking about racial and ethnic diversity, we’re also talking about diversity of perspective, experience and skill sets. A recent CSIS survey of IT decisionmakers across eight countries found that 82% of employees reported a shortage of cybersecurity skills and 71% of IT decisionmakers believe this talent gap causes direct damage to their organizations[1]. It’s not just the technical skills like computer coding and threat detection that are needed, employers often find today’s cyber graduates are lacking essential soft skills too, like communication, problem-solving, and teamwork capabilities[2].

An ISC2 study notes, organizations are unable to equip their existing cyber staff with the education and authority needed to develop and enhance their skill sets—leaving us even more deprived of the diversity we desperately need in the cybersecurity sector. The more unique thinking, problem-solving and community representation we have in the cybersecurity space, the better we can tackle the malicious hacker mindset from multiple angles in efforts to get ahead of threats. Forbes assents, “Combining diverse skills, perspectives and situations is necessary to meet effectively the multi-faceted, dynamic challenges of security.”

In an interview with Security Boulevard, Circadence’s Vice President of Global Partnerships Keenan Skelly notes that as cybersecurity tools and technology evolve, specifically AI and machine learning, a problem begins to reveal itself as it relates to lack of diversity:

“The problem is that if you don’t have a diverse group of people training the Artificial Intelligence, then you’re transferring unconscious biases into the AI,” Keenan said. “What we really have to do…is make sure the group of people you have building your AI is diverse enough to be able to recognize these biases and get them out of the AI engineering process,” she added.

The good news is that is it never too late to build a more diverse workforce. Even if your organization cannot hire more people from different career backgrounds or varying skill sets, existing cyber teams can be further developed as professionals too. With the right learning environments that are both relevant and challenging to their thinking, tactics and techniques, current employees can develop a more diverse set of cyber competencies; all while co-learning with diverse teams around the world.

Companies can also build relationships with local educational institutions to communicate critical workforce needs to better align talent pipeline with industry needs, recommends a new study from the Center for Strategic and International Studies. Likewise, cyber professionals can be guest speakers or lecturers in local cyber courses and classrooms to communicate the same diversification needs in the industry.

While some experts say it’s too late to try and diversify the workforce in thinking, skill, and background, we beg to differ. If we give up now in diversifying our workforce, our technology and tools will outpace our ability to use it effectively, efficiently, and innovatively. It’s not too late. It starts with an open mind and “take action” sense of conviction.

[1] CSIS, Hacking the Skills Shortage (Santa Clara, CA: McAfee, July 2016), https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hacking-skills-shortage.pdf. 

[2] Crumpler and Lewis, The Cybersecurity Workforce Gap, Center for Strategic and International Studies, January 2019.

Photo Credit: https://unsplash.com/@rawpixel

Making Cybersecurity BETTER: Dan Manson to Speak at RSA 2019

With the New Year in full swing, we are resolved to improve not only our own products to meet industry shifts but helping improve cyber professional’s skill sets against evolving threats. One of the ways we are doing this is through the help of our team member Dan Manson, Instructional Designer (Level 5) and current Professor of Computer Information Systems at California State Polytechnic University, Pamona.

Dan is speaking on a panel discussion at the upcoming RSA 2019 conference, titled “How to Create a Truly Diverse Cyber Workforce” on Thursday, March 7 from 1:30 p.m. – 2:30 p.m. alongside panelists Mat Neufield, CISO for Unisys, Jordan Jacobson, California State Polytechnic University, Pomona student. Shelly Westman, principal with EY will moderate.

It is at events like RSA (Find Circadence and Project Ares at booth 6583), the Circadence team and visitors to our booth share industry perspectives and explore dynamic learning solutions for cybersecurity professionals. The insights from these meetings often influence our advance product capabilities, features, and offerings.

In addition to sharing his expertise on the ways to diversify the cyber workforce, Dan looks forward to playing an integral part in our Project Ares® cyber learning platform evolution alongside the rest of our incredible team.  He is helping integrate proficiency standards and competencies into Project Ares curriculum to improve the overall training value, player scoring, points, badges, etc. He also supports the analysis of how well the training content aligns to the NIST NICE Cybersecurity Workforce Framework, identifying the gaps for our Cyber Education and Training department to consider in curriculum design.

We know the cybersecurity landscape is fluid, in a constant flux of improving security provisions, processes, technology, and the professionals behind it all. Circadence understands that there is no “one-size-fits-all” solution, which is why our solution capabilities ride on the coattails of the frequent industry changes. Our “Living our Mission” blog series keeps customers and interested parties current on the latest updates to our platforms and the benefits of the developments on organizational security posture.

To learn more about how our gamified learning platform Project Ares is supporting a more diversified workforce in the midst of a widening skills gap, download our white paper “The Importance of Gamification in Cybersecurity Training” now.