Author: Circadence

There is a lot out there about the benefits of continuous learning—or continuous professional development—and what we’re gleaning from research is how POWERFUL the approach can be when applied to cyber team training.

Like most industries, the only constant in cybersecurity is change. It’s not enough for cyber professionals to get technical degrees and certifications to call themselves experts. Ever-evolving cyber threats are a constant thorn in the sides of cyber professionals. They are responsible for finding new ways to stay ahead of the game to swiftly and efficiently defeat threats before they do damage to their company. CISOs in particular have the unrelenting challenge of identifying opportunities to assess, enable, train, and retain their cyber teams, which usually requires time they don’t have. To assist with this challenge, a simple and effective solution is continuous learning.

Continuous learning is exactly what it sounds like: the ability to continually develop skills and knowledge to perform effectively in the workplace. When it comes to cyber teams, they must be “students of the business,” willing to stay current with the latest news and industry developments to grow their understanding and apply any new knowledge gained to their jobs.

Practicing continuous learning within your cybersecurity team delivers the following benefits:

• Protects your company against evolving cyber threats
• Enables and empowers cyber teams to perform optimally and efficiently
• Increases productivity
• Expands knowledge of current hacker methods and understanding of ways to stop attacks
• Improves decision making
• Stimulates cognitive activity, keeping teams actively engaged and passionate about what they do

Due to the widespread skills shortage of cybersecurity professionals (projected 1.8 million open and unfilled positions by 2022), organizations need ways to develop skilled teams to fight ever-evolving cyber threats.

Many leaders are addressing this problem by adopting a continuous learning philosophy that involves consistent training and up-skilling their teams. In fact, 60% of companies use training to build security expertise (Coursera) and 70% of cybersecurity professionals agree that they must keep up with their skills or the organizations they work for will be at a significant disadvantage (ESG Research).

However, preconceived notions of cost and time prevent lots of companies from offering continuous development opportunities for their employees (only 38% of cybersecurity pros say their organizations provide the right level of training and education). Fortunately, there are training platforms out there (such as our very own Project Ares®) that are both cost-conscious and time-saving in the sense that they don’t require time away from the office to train.

We recommend CISOs adopt continuous learning by:

1. Interviewing and assessing cyber teams to identify skills deficits and, therefore, understand what team members need to learn/develop.
2. Address large workloads via automation and augmentation so that cyber teams can move away from data handling tasks and into higher-level reasoning and analysis.
3. Providing ample opportunities for skills development through persistent, gamified training, mentoring, networking, and continuing education.
4. Developing teams incrementally and continuously via a “day-by-day, month-by-month” mindset – as the job is never done in this field.
5. Dedicating resources, setting expectations, and aligning corporate culture with the goal of enabling employees to get the learning they need to protect and defend the organization at every stage of their careers.

Continuous learning will up-skill and strengthen your cyber teams so that they are prepared to defend your organization against ever-increasing cyber threats.

Increased understanding, skill and application of offensive and defensive strategies, will greatly improve your organization’s security posture and help keep the hackers at bay. As technology and connectivity strengthen with each passing day, steps must be taken immediately to adopt a culture that values and emphasizes continuous learning to help avoid your organization being featured as the victim in the next cybersecurity attack headline.

The ever-present threat of cyber attacks is taking its toll on info sec newcomers and veterans alike who are struggling to keep pace and can lead to cyber fatigue, which is a growing concern among both cyber professionals and consumers.

But just WHAT exactly is it? Most resources associate it with users who “just can’t be bothered with using a new password,” prompting users to make poor decisions with regard to their security efforts. In our experience working with government, academic, and commercial enterprises, cyber fatigue affects cyber professionals who are overworked, under-resourced, and lack proper training—leaving professionals throwing up their hands in fatigue and frustration.

Many organizations do not have the right sized cyber teams to alleviate workloads and effectively combat attacks; cybersecurity employees are fatigued from long hours, lots of pressure, and unreasonable workloads. This leads to dissatisfied employees and high attrition rates. This is a serious problem because organizations that are trusting their data security to a fatigued cyber team is ultimately, a threat to us all.

According to a KPMG report, “How to Bounce Back from Cyber Fatigue”, a new model is needed to transform cybersecurity strategy from one that is draining and reactive to one that is energized and proactive.

A Five-Pronged Approach to Combat Cyber Fatigue

The KPMG report  offers a five-pronged approach for organizations to combat the symptoms of cyber fatigue:

• Make measured investments in cyber capabilities based on risk: Quantify the risk by understanding its impact and effect on overall business objectives. How will a threat actor interrupt the achievement of a core business goal? Then look at the risk in terms of monetary cost to the company compared to likelihood of the risk occurring based on current circumstances.
• Regularly measure the effectiveness of your info security investments: Info security costs include the expected physical hardware and software costs in addition to more intangible elements like supply chain services, training, etc. Listing out all current allocations of resources and spending will allow info sec pros to compare the cost of cybersecurity to their overall risk tolerance and make adjustments in investments to best meet the organization’s needs.
• Develop/align the right cyber risk management model: Communicate on an enterprise-wide level the significance of a “protect data first” mentality across the organization and set expectations that breaches are not an “if” but “when” occurrence. Ensure all stakeholders understand what is needed to manage today’s risk and how the cyber team is preparing to protect and defend the company.
• Continually update your model to reflect emerging threats: Continued vigilance is key to managing cyber threats. They’re a moving target and companies need systems or platforms to help prepare cyber teams to combat the latest attacks. Immersive training platforms like our own Project Ares® can help teams and leaders make continued investments in their skills development to keep pace with evolving cyber threats.
• Build and promote a risk-aligned security organization: Cybersecurity isn’t just the responsibility of the info sec department or the CISO. It’s an enterprise-wide responsibility. It needs to be treated as a strategic priority with a top-down focus. A cybersecurity readiness program that includes a skill assessment and skills development component will help keep cyber teams prepared to manage the latest cyber threats and attacks.

Instead of a “spend more, more, more” mentality, organizations would benefit from taking these approaches and starting collaborative, C-suite involved conversations that advance them toward a culture of cyber awareness and proactivity.

Cyber threats are only getting more sophisticated and intelligent and cyber teams need to do the same in their cyber workforce preparedness. By maximizing info security investments and protecting the firm’s assets with robust staff training and skills development, CISOs can sleep a little easier at night—and more readily tackle tomorrow’s cyber threats.

We’re taking a 30,000-foot view of cybersecurity to understand the state of the industry from an enterprise perspective and share some common challenges faced by diverse industries. Doing so provides infosec leaders insight into how challenges emerge in their workplace and potentially a sense of relief knowing their industry (and themselves, as professionals) are not alone in this struggle.

cybersecurity remains dynamic and turbulent as businesses and technologies grow in complexity and hackers become more sophisticated. There is much discussion regarding the need to increase cybersecurity spending to expand cyber teams to cover more ground. And, we know that many businesses lack confidence in their current cyber readiness, due in part to many of these common challenges detailed below.

Lack of qualified cybersecurity experts

Finding cybersecurity professionals who possess specific technical skill sets is an uphill battle for many infosec leaders who are trying to grow and expand their cyber teams. According to Harvard Business Review , one of the main reasons is that businesses tend to look for people with traditional technology credentials instead of individuals possessing a wide variety of professional and technical skills. As attacks get more sophisticated varied skill sets of both technical (forensics, network analysis, malware detection) and professional (communication, problem-solving, analysis) will be required to combat them effectively, so leaders would be wise to expand their talent searches to include more diverse skill sets moving forward.

Lack of structured upskilling among talent

Senior staff often have a significant advantage over newer hires because they understand the ins and outs of their company. However, simply because they have advanced in their careers, they are not necessarily the most effective when trying to teach junior staff new skills and approaches to cybersecurity since conducting effective training is often a full-time job itself. Concurrently, it is difficult for IT professionals to consistently remain up-to-date on best practices across all aspects of cybersecurity. The  IT Security Employment Outlook report and many other resources note a 3 million staffing gap in cyber positions. Skills needed include the ability to identify key cyber terrain and risks, protect organizational assets and data, detect unauthorized access and data breaches, respond to cybersecurity events and attacks, and recover normal operations and services. Investing in consistent, structured, measurable training to upskill existing team members is an effective way to assess and combat these deficiencies.

Staff retention and fatigue

Since many organizations do not have the proper resources to alleviate heavy workloads and to effectively combat cyber threats, information security employees are often fatigued from long hours, immense pressure, and unreasonable workloads. These issues contribute to dissatisfied employees and high attrition rates across the industry. All of these issues taken together pose a serious problem because organizations that are trusting their security to a fatigued and undermanned or under-skilled cyber team is ultimately a threat to us all. CSO magazine  recommends that companies assess “the state of mind of key staff members, create work schedules to rotate personnel off the front lines, and provide the right levels of support, stress relief programs, and career counseling.”

Combating common cybersecurity challenges

These challenges are daunting and exist across many industries, keeping many infosec professionals up at night. Fortunately, by expanding the pool of candidates for positions by looking for more diverse skill sets, investing in immersive cybersecurity training , and understanding the state of mind of key staff members including monitoring their level of job satisfaction and fatigue, firms can more effectively combat these common challenges.

The malware industry has come a long way and currently, it’s a very lucrative business. This is one of many reasons that makes studying malware so fascinating. It’s an interesting mix of technology, psychology, and commerce. Psychology is what makes malware effective, and commerce is what ensures more hackers continue to develop new and interesting malware.

Information security has long been considered an arms race. According to G DATA Software , a new malware specimen emerges every 4.2 seconds. The good guys develop responses to things the bad guys do, causing the bad guys to develop new ‘weapons’ that get around the defenses the good guys put into place. Perhaps nowhere is this more evident than in malware. In 1987, the first antivirus software was released for the Atari ST. Coincidentally, also in 1987, Fred Cohen of IBM said, “There is no algorithm that can perfectly detect all possible computer viruses.” In spite of having detection and removal capabilities for 30 years, we are more plagued with virulent and destructive software than ever before.

All this is to say that a need exists to better understand malware by performing malware analysis. This work is primarily relegated to the antivirus vendors. However, the details of how the malware behaves are often hidden, primarily because exposing the details in the code can provide others hints on how they could start and improve that code for future malware. This is, of course, happening already in the malware development community.

To understand how to assess malware, you need to look at a few important elements. First, you inspect the infection vector – which is understanding how the malware infected your system in the first place. While there are many pathways, including compromising a system, the popular ones today are often based in social engineering, which relies on psychology and manipulation of the user. For example, using e-mail to either deliver the malware directly or to get a user to visit a website that includes the malware used to infect your system. This type of attack is called a drive-by attack. The idea is that you are “driving by” the website and get attacked in the process.

Another, related, attack is the watering hole attack. In a watering hole attack, the malware is still hosted on a web server the user is expected to visit. The difference is that with a watering hole attack, the attack is more targeted. The attacker infects a website that the targets are known to use in order to infect the targets. The attacker may be aware of the demographics of a site like ESPN, for example, and infect that site to infect people who are regular visitors there.

Knowing the infection vector and tracking the malware back to the point in time when it entered your system is important. The reason for that is in some cases, the initial infection may be small, but the malware may download a lot of other software, including other malicious software. A small infection program that installs more software is often called a dropper. Identifying the time when the malware entered a system can provide a reference point to look for other software that was installed about that time. This way, you aren’t just finding the initial attack and leaving all the other landmines behind.

Understanding how malware works and gets onto your system is an important and complex task. It requires understanding operating system internals as well as a reasonably deep understanding of how programs are constructed. Considering what can be at stake with your system and the files that are stored on it, people who perform malware analysis with the goal of finding ways to prevent or remove the malware are performing a critical function in our interconnected world.

It seems that every other week another mega-breach is making headlines. Cyber teams barely have time to bolster their cyber defenses before a new attack vector is revealed. It is nearly impossible for teams to train in such a rapidly evolving threat landscape through traditional lecture-based methods. Today’s threats demand an immediate shift in approach.

The next generation of cybersecurity training involves active learning through realistic, immersive training missions performed in high-fidelity cyber ranges. These virtual environments, which replicate actual enterprise environments, allow cyber warriors to practice with real-world tools defending against simulated threats.

Here are four reasons why you should consider modernizing your cybersecurity training program by implementing a cyber range-based approach:

1) Authenticity – The most critical aspect of any cybersecurity training program is that it provides an authentic experience to the trainee. The cyber threat landscape changes rapidly so your training must be agile and responsive. Face-to-face simulation exercises attempt to replicate this experience and certainly go beyond what is offered in a classroom. However, they must be updated frequently to be truly impactful, which isn’t realistic.

Additionally, these table-top drills address an incident in theory. Cyber ranges allow a team to practice identifying and mitigating threats in a replicated environment using real-world tools. True-to-life representations of network, host traffic, and user activity more effectively challenge professionals to consistently hone their skills. This authentic experience ensures a cyber team is ready to act quickly and effectively when the time comes.

2) Repetition – Studies show that information loss following lecture-based learning is rapid—as much as 90 percent within the first week, according to Learning Solutions Magazine. However, when applying the principles of active learning through doing and repetition, long-term information retention increases to 75 percent (National Training Laboratories Institute). This means security professionals who are actively training in cyber ranges are more likely to retain—and be able to act upon—the skills they acquire. Therefore, they are better prepared for attacks and able to respond more quickly to mitigate threats, ultimately saving their organizations money in the long run.

3) Scale – Even a top-notch course is limited in value if it cannot scale to train all personnel. Week-long trainings out of the office offer point-in-time content and take critical resources away that can leave your organization vulnerable. A cyber range enables security leaders to train teams of any size—from individual skill-building exercises to full-scale missions involving both red and blue teams. Additionally, instruction can happen on demand—weekly or even daily—without taking cyber defenders away from the front lines.

4) Gamification – Much has been said in the last five to ten years about gamification and its role in motivating teams. Cybersecurity professionals, perhaps more so than any other type of team, crave the agility, technical prowess and competition that comes with their roles. If they are not engaged in the cyber fight, they want to train in a way that is meaningful and have a record of progress and growth. Cyber ranges give teams a platform to engage as teams in gamified training. Red teams and blue teams can train head-to-head in real-world scenarios. Also, range-based platforms like Circadence® Project Ares® provide security leaders and team members with full visibility into skills progression.

As the technology landscape grows in complexity, enterprises, more than ever, are relying on people as their first line of defense. This approach demands a shift in our approach to training cyber professionals. It’s no longer enough for cybersecurity professionals to attend yearly or quarterly trainings. Professionals need realistic, immersive and responsive training achieved through cyber ranges.

Malicious hackers are persistent; our training must be as well. By utilizing cyber ranges, we can begin modernizing our approach. Contact the team at Circadence for more information on range-based cybersecurity training with Project Ares.

REQUEST DEMO