Chief information security officers (CISOs) face a growing array of challenges. The proliferation of ransomware, vulnerabilities from the Internet of Things (IoT) and other threats seem to constitute the problem. But beneath these concerns lies a root issue: securing the enterprise is a people problem.
This means that CISOs need to focus on employees as much or more than on vendor tools and solutions. Do your employees have the right skills to combat cybersecurity threats? Are they updating their knowledge at the same rate cybercriminals are updating their attack patterns? And how can CISOs attract talent for all those unfilled roles in a competitive talent market?
In a research survey by ESG and ISSA, 96 percent of respondents agreed that cybersecurity professionals must keep up with their skills to avoid creating organizational disadvantages against cyber foes. And yet, organizations are falling behind when it comes to training.
Download “Under Attack! How CISOs Should Respond to the Cybersecurity Crisis”
Cybersecurity professionals report wanting more resources to improve their knowledge, skills and abilities. They’re not getting it in undergraduate programs – as of a 2017 Cyberbit study, none of the top 10 computer science programs in the United States required cybersecurity courses for degree completion. Less than one-quarter of the cybersecurity professionals polled in a McAfee report said they felt higher education gave them the skills they needed in real-world cybersecurity jobs.
That leaves it to CISOs to deliver the on-the-job training that attracts, retains and educates teams to protect the enterprise against breaches and attacks. This is critical for security leaders, many of whom cite lack of training as reason for leaving a job. And it’s also critical for non-technical employees, who are more likely to download malicious files, click on dangerous links, or fall for the phishing emails that threaten their companies’ security posture.
To create a corporate cybersecurity culture, CISOs need to make engaging education tools available for everyone, as well as attack simulations for key security staff. There should also be a communication mechanism in place to reinforce new skills and incentivize safe behavior.
Among the options available for security training are:
- Cyber ranges: virtual environments for cyber defense training focused on people, processes and technology
- Online courses: on-demand classes in security fundamentals and technical skills
- Certification programs: administered by independent accrediting organizations
- Vendor trainings: to keep employees aware of the latest features and best practices for tools in which the organization has already invested
- Cybersecurity events: for information, innovation and inspiration
- Virtual training labs: for laser-focused cyber-attack training on exact replicas of an organization’s environment
Virtual training labs for cybersecurity professionals are a particularly cost-effective solution for onboarding new employees, as they remove the need for employees to travel elsewhere for training. Teams can maintain their productivity on the job between sessions, without sacrificing knowledge.
Whatever training options CISOs select to solve the people problem at the heart of enterprise cyber vulnerability, they should secure the buy-in from the rest of the C-suite in terms of budget, personnel, technology and training. With that in place, cyber awareness should have a central role from a new hire’s first days with the company, and regular evaluations should be conducted to determine vulnerability levels. CISOs should communicate the results of those evaluations to employees and build them into continuous training opportunities.
Gartner analyst Joanna G. Huisman said, “People impact security outcomes much more than any technology, policy or process.” We agree.
That’s why we dive deeply into the subject of training for better cybersecurity outcomes in our recent e-book, “Under Attack! How CISOs Should Respond to the Cybersecurity Crisis.” It’s full of the data, ideas and resources CISOs need to educate teams and increase enterprise resilience.