Happy National cybersecurity Awareness Month ! We all know that cybersecurity isn’t just a month-long focus area for businesses and individuals—but this month, we are grateful for the collaborative effort between government entity Department of Homeland Security and the National cybersecurity Alliance that together, place a lens on cyber (as an industry, strategy, and operation). It reminds us that the industry is ever-evolving and impacts each of us. It is not an isolated moment in time (despite the month-long focus), nor is it targeted to a specific industry or professional. Breaches continue to damage businesses and the discussion about the cyber talent “gap” forges on in conversations. As the world draws its attention around cyber in October and the industry evolves to better serve today’s professionals and businesses, we wanted to communicate the critical idea that cyber really IS for all as we strive to make cyber awareness learning accessible, intentional, and effective.
Making cyber learning accessible
We believe there are 3 ways to make cyber learning more accessible:
- Provide a comprehensive learning curriculum
- Make cyber training accessible via the Internet
- Use gamification as a mechanism for ingesting and retaining new information
Before we dive into each of those areas, let’s get more context about the concept of cyber learning itself. For a long time, cybersecurity has been thought of as a technical career and while there is a great deal of technical prowess that goes into the day-to-day tasks of a cyber pro, the idea of cybersecurity being an “anyone can do it” profession hasn’t popularized – and rightly so.
With roots in the military and government (cyber range training ), learning cybersecurity has been a structured, systematic, and data-driven process typically executed in a passive learning setting where students watch or listen and then take a test at the end of the lesson. There is minimal opportunity for hands-on practice in safe and secure environments, making cybersecurity learning and awareness of its purpose, value, and function a little more ethereal than we in the industry would like.
Comprehensive Learning Curriculum
One way to ensure “cyber for all” (our rally cry year-round), is to make cyber training more readily available to reach today’s learner (the next generation of cyber pros) while injecting a touch of personal accountability to actualize this motto.
A cyber learning curriculum should address 3 things:
– General awareness topics: These are topics that are broadly applicable to all employees of an organization and ones they should know regardless of IT level or expertise. cybersecurity awareness topics at this level might include phishing, malware, social engineering, identity theft, removable media security, insider threats, social media vulnerabilities, etc.
– Industry-focused topics: Relevant cybersecurity issues segmented by industry where security is a priority, especially highly regulated sectors like healthcare, government and industry, finance, election security, manufacturing, electricity, etc.
– Executive-level topics: More functional/business topic areas where corporate leaders and other high-risk personnel and privileged users are impacted. cybersecurity awareness topics at this level might include support/maintenance, consulting, managed services, legislation, risk assessment, etc.
By offering pathways upon which interested cyber enthusiasts or seasoned pros can “walk along,” it gives learners an idea as to how to develop their knowledge and skills. Further, cyber learning and awareness becomes more accessible because there is a route—or cyber learning journey —for everyone to choose.
The other component to ensure learning cyber awareness is accessible is by making the act of learning available to virtually anyone—via a browser. Online trainings today are quite popular for cyber enthusiasts and pros in training who want to hone their skills—and the idea of being able to access a cybersecurity course or activity online without having to leave the office or home is not only convenient but preferred these days. Some companies (like ours) are taking cyber training a step further by placing it in the cloud (Microsoft Azure) so learning can be scalable, more collaborative, and more customizable to learner needs.
Gamified Cyber Learning
Finally, cyber awareness learning can be attained by making learning fun. We do this with elements of gamification, which engage and inspire learners to train in environments that are not only realistic but also supported by a compelling narrative that invites players to progress through activities. Components like leaderboards, points, badges, and team-based collaboration allow learners to build a sense of “healthy competition” while learning and building skills and cyber competencies. Circadence offers learners of all skill levels various game-based activities from foundational concept learning in games like RegExile to application and analysis in Project Ares’ battle rooms and missions.
One student who played our RegExile cyber learning game in his cybersecurity course at CU Boulder said:
“I played the RegExile game today and I have to say I have hated regex till now, but when I learned it through the game, I actually liked it. It was really fun. I liked the concept of how a false sense of impending danger from the robots can make you think better and learn more. I was typing out my regex and actually thinking quite hard on how it could work and what I could do to make sure it was right as I did not want to lose the shield. I learned more through this game on regex than what I had in my undergrad class.”
Make Cyber Learning Intentional
Cyber learning has to be intentional. In order for students and existing cyber pros to get the most out of their training, they need a curriculum path that is not only diverse (based on skill needs), but also one that addresses all phases of learning: knowledge, comprehension, application/analysis, and synthesis/evaluation.
After understanding what cyber concepts are and how they impact our professional and personal lives (knowledge and comprehension), a learner needs to be able to build their cyber literacy and knowledge “essentials” by developing baseline cyber skills (application/analysis). Then, they can apply those skills in objective-based activities that synthesize concepts (evaluation).
“I personally found Project Ares to be a great learning experience and thought the mission environment was seamless.” ~ Chris N. UNCW cybersecurity Operations Club
Making Cyber Learning Effective
For IT Security Specialists and professionals, cyber learners can advance their competencies via recurring role-based training combined with continuing education and real-world experience training. Cyber learning needs to be rooted in best practice, industry-defined frameworks and there’s no better model to follow than the framework set forth by the NIST/NICE organization.
By aligning learning curriculum against work roles, learning concepts and skills inherently becomes more effective because it is RELEVANT for people. They learn concepts, how to apply them and can draw connections to how those concepts apply to their own jobs or jobs they aspire to. Further, the learning permeates into individual’s personal lives as well, enhancing cybersecurity at home.
We have built-in five NIST/NICE work roles that are present in Project Ares for trainees to work toward including:
– Cyber Defense Infrastructure Support Specialist
– Information Systems Security Manager
– Threat Warning Analyst
– Systems Security Analyst
– Cyber Defense Analyst
Intentional cyber learning following this framework focuses on a particular technical topic, such as Incident and Event Management, Identification of Privilege Escalation Techniques, or Elections and Voting Security. This type of work role specification helps make learning cyber a reality.
Summing it up
While there’s no switch to turn on every part of this “cyber for all” plan, we hope it helps shed light on ways security leaders and HR directors can begin to cultivate an inclusive cyber culture in their own workplace, among their own teams. As we celebrate National cybersecurity Awareness Month (NCSAM 2020), it’s important to resurface conversations around what it means to actually be aware and how we can manifest that meaning into something that really makes an impact on business’ security posture. We hope this post is one inspiration to start initiating those conversations around shared responsibility to ensure everybody stays safe during these unprecedented times.