The other day I overheard one of my salespeople ask a potential client how they upskill their cybersecurity team, which got me thinking. It’s a valid question, especially with so many vendors clinging to dated methods, but how it occurs isn’t the issue. What we should be asking is, why?
Get started on your cybersecurity degree at American Military University.
Staff who are upskilling will obviously get more from gamified content than PowerPoint presentations. But businesses don’t generally buy training to appease employees. If making staff jog several miles a day was the best way to prepare for cyberattack, you can bet many CEOs would be eyeing a new running track. What must be questioned is the fears and pain points that drive an enterprise to invest in skills in the first place, and whether these can be resolved.
Answering this requires an understanding of the context. Nowadays most businesses expect to be hacked, knowing it’s a matter of when and not if. Once upon a time you could get away with hiring a bunch of computer science grads to tick a few HR boxes. Doing that in 2020 doesn’t account for the complexity of the problem and the impact it has on the organization as a whole. Security today is about ensuring you can minimize risk and protect the company in the event of a crisis.
Legacy cyber training cannot help with the latter – how could it? Such courses typically use a “next, next, finished” approach requiring no cross-team decision making or critical thinking. Even those that pair interactive learning environments with a great instructor aren’t tailored to an organization’s unique risk profile. The training simply isn’t specific enough. Sure, your team might get a shiny new certificate, but the skills they develop will decay quickly and therefore be unlikely to help in a real crisis.
That’s not to say traditional training is useless, because it has some valuable employee retention byproducts. Career development, increased expertise and company outings are all positive, but in the context of organizational risk and resilience, they are probably secondary. The crucial question about the business need is not answered; a company ultimately spends money on cyber skills development so that it can defend its value.
We must remember that cybersecurity is fluid: there is always an emerging technique to learn, an innovative method to adopt or a new attack to defend against. That’s why eyebrows were raised when the Certified Information Systems Security Professional (CISSP) qualification had its status boosted to master’s equivalent this year. It’s a tough course, but this elevation promotes a way of validating learning rather than building skills relevant to tomorrow’s attacks. Those seeking to further their cyber careers may look on and believe everything they need for a crucial role can be bought for a few hundred pounds, but this is sadly not true. Skills development is a journey, not a destination, so for individuals to be prepared they must upskill constantly – just like the bad guys.
Overlooking this human cyber readiness can destroy a business’s reputation. Never was this more apparent than in 2017 when Equifax mishandled a breach that exposed 145 million Americans’ data. It’s concerning that three years on, something that should’ve triggered change in the way businesses prepare has had little effect. Just look at what happened to Garmin in July, when a ransomware attack played out in full view with a significant impact on overall corporate value.
Some companies do get it right, however, and their reputations blossom. Norsk Hydro is now seen as the gold standard of crisis response for instance, winning plaudits across the industry after its deft handling of the LockerGoga ransomware attack. Instead of drip-feeding and spinning selective information throughout the attack, the aluminum giant issued regular, honest communications about events, seeking to expose the cruel tactics of cybercriminals.
It’s clear then that maximizing human capability is front and center in facing down adversaries. The issue, however, is that many organizations build their human cyber capability backwards, focusing on quick wins instead of instilling skills central to their business objectives. We must remember that businesses ultimately develop cybersecurity skills to save face and money. Yes it’s about talent retention, but business metrics demand that a business has the correctly skilled people in place to defend corporate value. Understanding this could be the difference between an incident and a full blown crisis.