Cyber security is no longer an ‘option’ or a side issue – it is a strategic asset that every organisation must address. It is an area that is evolving at an express pace. In light of the many high-profile cases of cyber-attacks, there is a growing need to hire competent and experienced cyber security professionals. However, how to achieve this? You can find out in our article, in which we also suggest how you can use a cyber range platform – a platform for simulating real attacks – to train your team.
Table of Contents
What is a cyber attack and what are its consequences?
A cyber attack can happen to any organisation, regardless of size. According to the NIST definition, a cyber attack is the use of cyberspace to disrupt, disable, destroy or maliciously control infrastructure, destroy data integrity or steal information held by a business.
The impact of attacks can be devastating to an organisation and infrastructure, making back-office operations difficult or even impossible. Subsequently, this can result in serious data loss and irreparable damage to brand and reputation. And by extension, to the trust and credibility of the organisation. Not to mention financial losses, sometimes even leading to ruin (Sohime et al., 2020).
Cybersecurity Ventures predicts that the global cost of cybercrime will increase by 15 per cent annually, reaching US$10.5 trillion by 2025, up from US$3 trillion in 2015.
Why should companies have cyber security professionals?
It is not surprising that the level of sophistication of cyber attacks is increasing every day, with human error, caused by a lack of appropriate skills, contributing to many cyber security breaches.
There has been an urgent need for highly skilled cyber security professionals for quite some time, given the increasingly aggressive landscape that public and private organisations are facing. According to 70% of professionals, a skills shortage in this area affects their company (ESG & ISSA).
To start, ask yourself two questions:
- How much time and money has your team (i.e. your company) lost as a result of a cyber attack or the replacement of compromised devices?
- How many of these incidents could have been avoided if employees had received training?
If your answers suggest that you have not been the victim of a cyber attack, the truth is that unfortunately you may not know about them yet… As ZDNet reports, it takes most companies almost 6 months to detect a data breach, even a serious one!
The good news is that you can implement a cybersecurity training programme to help your employees become your company’s greatest asset in the fight against cybercrime.
How to build a cyber security team?
The fact that employers are struggling to fill cyber security positions due to a lack of skilled and experienced professionals has been referred to by many authors (Harris et al., 2015). The current skills shortage is estimated at 3.1 million worldwide (ISC2).
Furthermore, according to the Cyber Security Skills Report 2021 National Survey prepared by the Cyber Ireland Cyber Security Cluster, 55% of organisations surveyed noted that it takes 2 to 3 months to recruit for a cyber security role. Almost one fifth of them highlighted that it takes 6 months or even longer to hire a qualified employee. And people in technical positions are the most in demand, with as many as 82% of respondents expressing the desire and need to hire them.
As you can see, it is not easy to find suitable employees in this industry. And according to reports, many security departments within companies do not have enough people to perform the day-to-day tasks that are required to ensure an organisation’s cyber security.
According to respondents to the Cyber Security Skills Report 2021 National Survey, the main reason why it is difficult to fill open positions is „lack of the right attitude, skills, qualifications or experience”.
One reason for the difficulty in filling positions can be sought in the fact that traditional academic instruction and certification training often focuses on teaching basic skills through didactic classroom environments that lack opportunities to build cyber security student experience (Anderson, 2017).
As they say – every stick has two ends. Inadequate skill levels of recruits is one thing. However, it is worth considering whether we are making a mistake by focusing our energy and time on the hunt for the so-called „all stars” – rare (and therefore expensive) individuals with several years of experience and advanced knowledge of multiple security technologies, holding multiple certifications, excelling at managing a SOC team as well as making presentations to the board. Current and aspiring cybersecurity professionals themselves acknowledge that this is a common problem, creating frustration. Many organisations have unrealistic expectations of the positions they are trying to fill.
Instead, it makes sense to strategically develop your teams across all skill levels. This includes considering new talent. By doing so, you can create a long-term and sustainable investment in your security workforce (ISC)2.
Building a strong and resilient cyber security team is quite a challenge for any organisation, but it is achievable. You can read more about the skills desired in cyber security in our article.
Develop the competencies of your team
Skills gaps have been identified as a major challenge that affects the whole industry. This is especially true for technical skills, which are the leading cause of unfilled vacancies (Cyber Security Skills Report 2021 National Survey). After all, a trained team means better protected company assets.
The answer to the question ‘how to develop team competencies’ is seemingly simple – through training.
According to the survey, 72% of organisations have conducted an analysis of their cyber security training or skills needs in the last 12 months. Only 52% of these have a training plan in place. Of those that do have one, 32% admit that their plan is not effective (Cyber Security Skills Report 2021 National Survey). At this point it is worth specifying that of course – training is the remedy to the problem at hand – but the incredibly important issue is what it is. So quality will come first.
So what will determine whether training is effective?
This is where enabling valuable experience comes into play to help meet the demand for such sought-after professionals (Manson and Pike, 2014). For this to work, experiential learning must be incorporated into programmes. So, cyber security training should allow for immersion in a hyper-realistic environment that will provide a significant amount of practical training, complemented of course by theoretical knowledge (along the lines of: no practice without theory).
Working in cyber security is inextricably linked to ongoing and continuous education, throughout your career. So adopt a comprehensive training/education strategy that focuses on the knowledge and skills your team needs at all stages of their career development.
Professionals in this industry need to continuously learn if they want to present the highest level of competence and effectiveness in operations, in an ever-changing technical and business environment.
How to create an effective cyber security training programme?
Creating a cybersecurity training program can seem like quite an undertaking. Most employers or department managers may not know where to start or what to include.
That’s why below, we’ve outlined and discussed 11 elements that will help you implement a training programme in your company to ensure it delivers the expected results in the long run, is cost-effective and enhances your employees’ career opportunities.
Analyse your training needs
One of the first steps in developing a training programme is to identify and assess the training needs of your employees. These may already have been established in the organisation’s strategic, human resources or individual development plans. However, if they are not, it’s important to assess which areas to focus on.
It is worth considering what kind of training (in what scope) our team needs. Evaluate the existing knowledge and skills, e.g. by means of special tasks-tests which will help to establish the starting point, and thus avoid wasting time on reworking material which has already been learned. This stage of preparation will help to improve the effectiveness of conducted trainings, and its effect is to set the training goals necessary in the whole process.
A training needs assessment identifies any gaps in current training activities and employee skills. These gaps should be analysed, prioritised and transformed into training objectives for the organisation. The overall goal is to close the gap between current and desired performance through the developed training programme. It should be clear about the goals, which concern the professional development of the participants themselves and the business progress of the company, organisation or public institution.
Perform risk assessment reports
Cyber security is a very broad term, and creating a training programme around it can be varied and take many paths. Therefore, it’s worth taking stock of the immediate threats that your business may be/is exposed to and should be mitigated. Look at the bigger picture (the overall level of security) and then assess your company’s vulnerabilities. Conducting a risk assessment of your systems, networks and other digital assets will help you prioritise and identify which areas pose the greatest security risk to your business. Knowing this information will prioritise the most important issues and ensure your training programme is relevant and effective.
Get management buy-in
When developing a training programme, it is important to get management buy-in before you take steps to launch it. This will help eliminate potential roadblocks to using company resources for this purpose. It is advantageous when senior managers not only accept the programme, but also actively engage in it and support changes to policies and processes. This makes the introduction of new policies and procedures easier, and the validity of your initiative will be validated with those who might consider the effort a waste of time.
Cybersecurity training is more than taking a few courses. It’s about building a security-conscious culture. The cost of training is worth the return on investment (ROI) when it comes to protecting customers and their data and your company’s proprietary information.
Just gather statistics on training costs and compare them to the cost of rebuilding your reputation and customer base after an attack. Show how training relates to your organisation’s overall cyber security strategy and mission. Raise awareness of the importance of training (read „human” component). Outline how cyber security is important to serving customers and keeping employees safe.
Use practical learning methods such as cyber range platforms
In an industry where there is so much talk about the importance of experience, teaching/training methods should be tailored to meet market demands. Traditional classroom lectures emphasise theoretical learning. To enhance learning and allow participants to gain experience, it is preferable to immerse them in the real world, in environments replicated by practical labs and computer simulations (Topham et al., 2016).
Rather than exposing the user to descriptive experiences, as is the case with other methods, simulations provide a high level of realism, engaging students in a way that other types of training lack. By providing immersive learning environments, they allow students to actively learn by putting concepts into practice, and they increase interest in the issues (Arora, 2018).
As noted by authors in various publications, the concept of experiential learning and its application in computer simulations can be very effective in maximising learning, as it allows students to build experience, rather than just learning concepts and theory (Botelho et al. 2016)
Timeline of training activities
When to start training employees?
Ideally as soon as possible, already during onboarding, treating it as an integral part of joining the company. In addition, certain solutions give you the opportunity to check the qualifications of candidates for a job (and start at the recruitment stage, as it were). Thanks to this, you will find out with which issues they cope well with, and which still need to work on. You will gain information as to whether the person fits into the organisation and the team, as well as how much work is ahead of you and how the training should be adjusted. In addition, it is likely that the employees themselves will be more motivated.
Learning should be accessible and it is good if it can be done in the context of day-to-day activities. As it turns out, the employed people expect training to be available in the workplace. It is therefore worth taking account of training materials/scenarios of varying duration. Shorter ones – will allow for integration into the rhythm of the working day and operation/support of critical systems.
And also longer – they will enable a broader view and an in-depth analysis of extensive security issues. It is worth remembering about breaks, so that participants can relax, regenerate (it is estimated that the brain needs as much as 20% of our resting metabolism to work). Above all, it is important to take into account the preferences of training participants as regards the length of training and the volume of material.
During training, participants’ progress should be monitored to find out if employees are mastering more skills and to gain feedback on the effectiveness of the programme. Furthermore, for motivational reasons, to increase engagement and awareness, trainees should be able to see the results of their actions. Analysing the results offers great opportunities. Even if some material is more difficult, you can „correct” your path on the fly, e.g. go back to an earlier stage, complete the necessary knowledge, do additional tasks, etc.
Evaluate the training program
As we have already mentioned, the cyber security training programme should be constantly monitored. Nevertheless, it should also be evaluated after its completion to determine whether it was successful and whether the training objectives were achieved. In addition to certain indicators/reports, it is also useful to obtain feedback from all employees to determine the extent to which knowledge and skills have been assimilated. Analysing the feedback and feelings along with the performance evaluation will allow the organisation to identify the next steps to take and set objectives for the next training.
Retrain employees regularly
If the thought crossed your mind that training once a year is sufficient, then we must dispel any doubts. This is not and will not be the case – especially in the demanding and dynamic cyber security industry, where hacking techniques and tools are constantly evolving. This should be approached like updating software, patching vulnerabilities or doing backups – regularity is the key. It is also worth providing equally dynamic training. A ‘once and done’ approach to training can fail the test and be very costly to an organisation.
Regular retraining of employees is a must. Make it a habit. Focus on cyber security for the long term. Keep up the pace of training throughout the year, continuing to reduce your organisation’s cyber risk.
Adapt the programme to the participants
We’ve already written that the training programme should be tailored to your company’s needs. In addition to this, you should make sure it is also tailored to your employees. If they work remotely, it is recommended that the training allows them to improve their competences from home, e.g. thanks to the cloud. It is also important to address issues relevant to specific roles/positions, to be able to select the content according to the level of knowledge, skills and experience, to use tools used in everyday work and to take into account the preferences of participants. Customisation means better individualisation of training, and therefore better results.
Ensure motivation and a positive message
This is a secondary point, so to speak, and is linked to those mentioned above. However, it is so important that it cannot be omitted. Firstly, we want employees to be internally motivated for continuous training. If the motivation level is low, you will either have to work hard to overcome the participants’ resistance, or they will not learn anything, or both.
Motivation should be addressed even before the actual programme starts, by communicating the objectives so that the employees can recognise them as their own. Listen to and analyse needs, taking into account the preferences we have discussed so much (length of training, format, knowledge and skill level). Allow to see the results and track progress (I can see up to date = I want more).
In addition, the tone of the training should be positive and encourage the team to improve in cyber security. Under no circumstances should participation in training embarrass employees! It should not even make them think that if there are any areas for improvement, it will be seen as proof of incompetence. It is therefore worth communicating this repeatedly, right from the start.
Training in the form of presentations is not enough
There are many courses that have the advantage of being able to teach multiple users simultaneously. They focus on massiveness and a didactic approach – they have pre-recorded lessons, provide some formative assessment in the form of quizzes and online tests, and texts to read.
Of course, there is nothing wrong with some elements of the training including presentations. However, the centre of gravity of the whole learning process should not be shifted to them. As the authors point out in their publications, such a solution does not take into account critical thinking and problem-solving skills. It also fails to provide training simulations that, by incorporating realism and immersing the learner in virtual simulations, build the experience which is so desired (Beveridge, 2020).
The skills that employees acquire can have a huge impact on the resilience of an organisation. This is why it is so important to include their development and training. However, creating a training programme need not be an impossible task.
As the European Cyber Security Organisation (ECSO) points out, there is a lack of appropriate and accessible tools at a professional level to continuously raise awareness, train and develop skills in this area.
So what exactly are they?
They are those that allow the implementation of practical training and build the necessary experience, like a cyber range platform.
Cyber range platform will help build the competencies of the cyber security team
The essence of cyber training can be captured in the well-known adage „Train like you fight and fight like you train”, which only reinforces the idea that the value of training diminishes without the right level of realism. Today we are dealing with complex systems that are constantly evolving. They therefore require realistic, risk-free learning environments in which beginners as well as experts can train. It’s not about accumulating knowledge, it’s about getting professionals to the point where they can prevent incidents and respond quickly and effectively to real-world situations with appropriate action.
As Karjalainen et al. (2020) indicated, it is impossible to learn to do this without dealing with similar situations during training or exercises. Referring to Herrington and Oliver’s theory on designing a framework for learning environments, continuous training in authentic environments is required. This refers to the accumulation of knowledge and skills in contexts that reflect the ways and environments in which knowledge and skills will be used in real life (Karjalainen et al. 2020).
OK, but what exactly is a cyber range platform?
Cyber range platform – what is it and what are its applications?
Originally, cyber range platforms were used by military institutions for cyber security training in the context of national defence strategy (Damodaran & Smith, 2015). Since then, their use has expanded to the private sector, public sector and academia. It is a virtualised platform that provides a secure, isolated and realistic environment and enables:
- training employees on cyber security
- testing your team’s current capabilities
- testing security and cybersecurity products
- screening potential candidates to join the organisation for their skills
- conducting research to identify and detect new threats and mitigation solutions
- educating students and preparing them for future work
The possible applications are numerous. But the most important, in the context of this article, is hands-on training of employees based on simulations that help them build muscle memory. Simulations are immersive, so there is a better chance of learning and acquiring skills. Going further – to better protect their own data, customers, partners, etc. According to the students surveyed, in addition to increasing knowledge and critical thinking skills, simulations can have the side benefit of … an enjoyable learning experience (Beveridge, 2020).
What should a good cyber range platform have?
Cyber range platform includes a number of different functionalities that make it an advanced solution, enabling it to be used in many important cases for organisations. Below we present the most important of them:
Breach and attack simulation
This is a set of mechanisms built into the cyber range platform, allowing the simulation of malicious traffic based on real threats and simulation of security breaches. They make it possible to create single attacks as well as their entire paths. It is also worth noting whether the cyber range platform can be integrated with popular hacking tools.
Network infrastructure simulation and management
A mechanism that allows for faithful representation of machines, networks and system applications. It enables comfortable and intuitive creation and modification of network diagrams to be used in training scenarios.
Network traffic generator
A mechanism that allows to fill a network of training scenarios with reliable network traffic. It allows simulating the activity of neutral users.
Simulation of internet services
A set of ready-to-use services that simulate the Internet and the neutral services in it.
Cyber attack scenario library
A catalogue of built-in and ready-to-use training scenarios of different levels of difficulty, duration and intended for different roles and positions in an organisation. It is good if they are created based on a recognised standard, such as the well-known MITRE ATT&CK® matrix. This ensures that the tactics and attack techniques used on the cyber range platform are universal.
Training scenario building tools
A set of tools that allows you to create your own training scenarios or infrastructures from predefined or custom machine images.
Toolkit for instructors
It enables the instructor to control and supervise training sessions. It allows interaction with participants, evaluation of actions, solving problems or receiving reports with results.
A functionality thanks to which information on user actions is collected and analysed. It allows progress to be tracked and evaluated in real time through automated checks.
Interoperability and integration capabilities
This refers to the API offered by the cyber range platform. It should allow integration with external systems. It is good if it also supports connection to other virtualisation platforms and cyber ranges.
Interaction with virtual and physical resources
A mechanism to connect physical devices to virtual networks used in training scenarios. It is advisable to check how this mechanism is implemented and what types of physical devices can be connected to the platform.
If you want to find out what the cost of a cyber range platform depends on and what you should consider when buying one, you should take a look at our article!
Organisations can prevent cyber attacks by building the competencies of their cyber security professionals. Don’t just focus on theory, but bring practical training into play. Use solutions that allow them to gain experience, which is at a premium in this matter. You have a real influence on all of this and, after reading this article, also the guidance you need to implement significant changes in your business.
Make an appointment and find out how we can support you!