Align training with job roles and don’t underestimate the value of experience
Cyber security is a complicated industry and often the skills and competencies required to do the job are grossly misunderstood. Further to that, much focus seems to be on the major certifications as a mark of being job-ready, such as the universally respects CISSP certification from US body, (ISC)2. Yet CISSP is a hard certification to have and requires five years of experience to qualify for the accolade, even if you’ve passed the exam, so it limits your options when you go to market to hire a security person. Let’s explore the world of training, education and skills development within the cyber security industry and disuses some of the options available to us when we need professional cyber services.
The Skills Gap: Fact or Fiction?
Over the past decade, much has been written on the global cyber security skills shortage. There is debate on whether this skills shortage is as bad as it’s being made out to be, but evidence does suggest that the issue is real, but clouded by a misalignment of job roles across industries and nations. It does appear that there are not enough adequately skilled cyber security professionals to fill all the roles out there, so what can organisations do to address this?
The first question to ask yourself is whether you should recruit externally or attempt to upskills internally, targeting people with the right mindset and appetite to give security a try. If you decide to hire externally, the tightly worded job roles are vital to success. But don’t overdo the description or look for a blend of skills that limit your success. Cyber is a wide and varied industry, if you consider all the possible role, from senior executives to forensic investigators, pen testers, architects and developers, most people won’t have the skills to be a superstar in all areas.
In Australia, confusion reigns supreme over what cyber security professionals are in terms of experience, skills, maturity and certifications. No industry body has taken the time to define what job roles are required (this was done elsewhere, such as in the UK by the IISP), so hiring managers going to market for, as an example, a senior security architect, will end up with CVs from endpoint security specialists, firewalls engineers and network architects, all of whom are likely skilled in their own specialisms, but not security architects. If you combine this issue with the wide range of certifications and certification bodies, along with market acceptance of those certifications, it’s little wonder recruiters and hiring managers can’t find the right staff.
CXO Security believes that the skills gap isn’t as clear cut as it’s made out to be and if job role definitions and continuing professional development was tightly coupled, they organisations would be better to create their own security professionals from than trying to force ill-fitting new hires into a role.
Hiring junior team members in the security team and mentoring them (as long as you have the senior leadership) is also a valid approach and one that has yielded great results; it’s also an approach that has been mobilised in other professional industries with great success. The notion of running an internal apprenticeship scheme can then be integrated into your team’s career development plans, where formal training can be mixed with on-the-job experience and mentoring.
Are Job Role Maturity Models Worthwhile?
Skills for the Information Age (SFIA) is a skills and competency framework that demonstrates how job roles and skills (and experience) relate to business activities. SFIA lists the competencies expected of cyber security professionals at each level of seniority, from junior analyst roles all the way up to CISOs, security architects and consultants. By aligning SFIA with your career development programme, you can map the competencies required in each job role, then list the baseline competencies for each level of seniority. When you profile one of your team, you identify the gaps in their experience or knowledge that need addressing before they can be promoted, which makes the discussion about progression and readiness easy. Furthermore, if you define these job roles using SFIA, they will have meaning when you go to external recruitment. If you go to market for a security architect and state you want a level 2 senior security architect, as defined in SFIA, then you can have the recruitment agency filter through only those candidates with the requisite level of capability.
Experience Matters – Incident Response
Some security certifications are so broad that they teach little in terms of practical application of skills. CISSP is a good example, where the certification doesn’t help security professionals do their day job, rather it’s testament that the person with the CISSP has a wide knowledge and requisite experience: more like a license to operate than a skills uplift. We believe that continual on-the-job training is a more effective way of learning security, with courses in specific disciplines such as risk management, report writing, business case writing, etc. also factored into development plans.
The incident management discipline is a great example of where it is necessary gain experience responding to real attacks before you can expect to lead a response activity. When you are in the middle of handling a cyber catastrophe, with systems malfunctioning, malware breaking out across multiple networks and senior managers screaming for answers, you’ll be under enormous pressure. No amount of classroom roleplaying prepares someone for dealing with a major incident, however, companies can model threats and business impacts, so the basic premises of what constitutes an incident are understood by everyone.
The security operations team can focus on building playbooks – standard response plans – for each of your incident categories, documenting the basic steps of what to do during the attack. This is how response-oriented professionals prepare: take the fire service, for example. Fire response teams will plan how to extinguish different kinds of fires: chemical fires are different to house fires, which are different to bushfires. They would never rush into a bushfire situation without a plan. Their team would gather information from as many sources as possible; from the Bureau of Meteorology, from local law enforcement and DFES. This is known as situational awareness. Proper preparation and planning, with data from meteorological reports and local geography, help them make good decisions and save lives. They would never send an inexperienced firefighter, straight from college, to the frontline, even if she had perfect grades.
Professional training courses in cyber security disciplines like incident response do exist and you can push your team through this training path as part of their development programme. ISO 27035 training, for example, will teach your team the processes they should adopt to respond to a cyber-attack. However, formal training should always be followed by a series of exercises and fire drills to put them under pressure, even if simulated. If you run a programme of increasingly complex tests that check the limits of their ability, allowing them to work as both contributing SMEs and as the incident manager. By doing this, you can watch how the team works together and monitor the efficacy of the response plan, thus honing the processes as you go and transforming the team from enthusiastic apprentices into battle-ready operatives.
What About End User Awareness Training?
Security awareness training is another aspect of education that receives a lot of criticism. Evidence shows that no matter how many hours of awareness training users take, the number of incidents from phishing attacks and password reuse (two of the most prominent reasons why people are compromised) hasn’t materially decreased. The explanation for this apparent failure is relatively simple to identify, but harder to fix.
At CXO security, our approach to security awareness is builds on basic awareness by incorporating elements of continual professional development into programme design. When staff resume their day jobs in sales, marketing, planning, research and delivery, their mindset shifts from security back to the task in hand. If a sales manager is in a hurry to clear his inbox before a customer meeting, he won’t be thinking about being a phishing target. He certainly isn’t stupid or irresponsible (as many IT administrators would tell you), rather he is a busy, successful professional with a lot on his mind, which often doesn’t correlate with caution and consideration of abstract threats such as cyber security.
Security awareness needs to be a target for the executive leadership team, with stakeholders like HR team and workforce planning also included as stakeholders to make it successful. If security can be made meaningful and integral to how people are in your organisation, the continual reminders make it second nature for staff to consider threats.
Our approach is that we help you affect change by designing a programme that incorporates training, briefings, technology, fire drills (internal phishing campaigns to test efficacy), letters – or videos – from the CEO and briefings cascaded through management to staff in town hall meetings. Posters, mailshots and prizes for staff who spot security issues (much like staff being asked to report health and safety issues) are useful techniques for raising awareness. Targeted awareness for specific job roles is also a beneficial approach, where managers, system administrators, reception staff and mobile workers have different things to think about, and this targeted content will make your training stick.