How cloud-based training can help address the cybersecurity skills gap [Q&A]
It's widely acknowledged that there's a skills shortage in the cybersecurity field. Many businesses are looking to address this by training their own security talent, but this in itself can be a challenge.
We spoke to Zvi Guterman, founder and CEO of virtual IT labs company CloudShare to find out how the cloud can help address security training issues.
BN: There is a growing shortage of skilled cybersecurity professionals. What role does training play in addressing this?
ZG: Organizations are having a hard time finding experienced talent to fill cybersecurity positions. Research from ESG/ISSA indicates that 70 percent of organizations have been impacted by this talent shortage.
A logical choice to address this shortage is to search internally and cultivate potential candidates, which is wise for two reasons. First, it sends a positive message to team members; they can see there is opportunity for internal advancement and the company is willing to invest in them. At the same time, it allows an organization to train that rising star in the precise manner that best helps achieve its goals.
Once identified, these people cannot be expected to fill these roles instantly, they must be trained. Plus, those who are already engaged in securing the organization, along with those being counted upon to rise, all need to be informed of the latest threats in this persistent battle.
Still, ESG/ISSA also reported that 62 percent of organizations are not supplying adequate cybersecurity training to these employees.
This alarming statistic, exacerbated by the increases in the sophistication and sheer volume of threats, indicates organizations are rolling the dice. Those companies and leaders who fail to grasp the seriousness of this situation -- and continue to overlook training and the value of an informed cybersecurity team -- may soon find themselves among the next data breach headlines.
BN: What are the biggest challenges facing companies when it comes to employee training?
ZG: There are many reasons organizations fall short when it comes to employee training. As is too often the case, perceived complexity, time and costs top the list.
For instance, enterprise security teams can be distributed across the globe. While consistent, regular training is imperative, getting the right resources together in the right place can present a challenge. In-person training is an effective method to arm personnel with the skills they need. However, to accomplish this requires coordinating a lot of moving parts, time and money. And, it can actually increase risk.
For starters, if the security team needs to be sent off site for training, that is time they're not monitoring the company's defenses. It's also costly to accommodate their travel, lodging and other expenses while they're on the road. The expense can increase exponentially if the organization needs to stagger sessions to accommodate volume, as do the logistics involved in scheduling, delivering and designing courses. And, let's not forget we're talking about security; delays can make all the difference when it comes to something like mitigating the impact of a breach.
However, if companies add in the cloud and the right training platform, processes are not only simplified, they become more cost-effective and powerful. No matter the numbers, regardless of where team members are located, materials and training can be delivered in moments. And right off the bat, cost-wise, there's no travel or accommodations, and because a lot of time is saved, this results in savings in other areas as well.
Then, examine other challenges that are less straightforward, like the talent shortage and cybersecurity certification training programs. In addition to the costs, many IT leaders are hesitant to invest in these out of fear that their employees will only leverage their newly earned credentials to obtain more lucrative positions at other companies, including competitors.
No organization can absolutely prevent this, and frankly, it's a fact of life when there's a talent shortage. That said, employees appreciate seeing their company’s willingness to invest in their development and growth, along with a clearly defined career path, which fosters company loyalty and helps retain talent.
BN: How can companies ensure their staff are better equipped to protect company assets?
ZG: There are easy and cost effective ways to make sure that employees of all skill levels are receiving the education they need to increase their company's cybersecurity posture.
Keep in mind that one of the most effective forms of training and knowledge retention are when learners get hands-on practice in environments that closely resemble their actual work environments and the resources at their disposal. Just like practice sharpens the skills of athletes and musicians, enabling them to be at the top of their game, practice will enable employees to be well-prepared to respond to and mitigate any potential attacks.
One place to start is making sure that security teams know how to fully utilize the technology investments the company has already made. ESG/ISSA noted that 39 percent of respondents felt they were not able to use their company's cybersecurity tools to their full potential. That's a shame because even the technology vendors themselves offer online programs to certify customer employees on their solutions. Some provide convenient on-demand sessions, and of course, there are user conferences where best-practices are shared.
By allowing employees to take part in such activities, their desire for growth is fulfilled, and the organization benefits with a more knowledgeable security team that’s able to use all the tools in their belt to their fullest. After all, there's no point in buying security technology if it's not going to be put to use and all of its advanced features utilized.
As mentioned, cloud-based training platforms are a very efficient cost effective way to ensure teams deliver the most value to their company. The right ones also have some features that can really enhance the learning process.
These could be as simple as instructors being able to monitor student progress in real-time and step in to offer guidance exactly when it’s needed most via chat. On the other hand, the right platform can better equip staff by enabling one of the most effective learning approaches possible -- by doing -- that means practicing in real-world scenarios in safe, sandboxed environments.
BN: How effective are solutions like gamification, cyber ranges and virtual IT labs for training cybersecurity and IT professionals? Are schools properly training the next-generation workforce?
ZG: As stated before, one of the best ways to learn something is by doing it. Cyber ranges and virtual IT labs allow students to experience real-world threats in a safe environment. Experiments and parameters are closely controlled and can be repeated as many times as needed. By actively training against real, modern day threats, students will better learn how to identify and deal with them effectively. Student coming out of schools that teach skills on the range and in virtual labs will be the ones trained best for the next-gen workforce.
Software developers can also use cyber ranges to validate proof-of-concepts (POCs) of new technologies without affecting live systems. The infinite testing possibilities make cyber ranges an ideal choice for verifying procedures and testing new ideas.
Gamification adds an effective incentive to training. Delivering content in the form of a game increases motivation among students and gets them to complete more training and engage deeper in the learning process.
BN: What skill-building strategies can companies deploy to strengthen their cybersecurity posture across the enterprise?
ZG: Education is key, not only for training cyber teams, but everyone; employees are still the biggest threat to a company's security -- and not intentionally. People are the weakest link and must be taught how to be vigilant.
Strengthening the security of the IT estate needs to start from the top. The enterprise's CIO, CSO or CISO is the top security officer and needs to set a tone, evangelising the criticality of exercising security best- practices for the benefit of not only the organization, but everyone in it. Regular training sessions should be conducted, updates on the latest threats distributed, basically, companies must promote awareness with internal communications.
It cannot be assumed that staff realize not to click links in emails from unrecognized sources. Today's phishing and ransomware statistics clearly show otherwise. Employees must be educated on threats and understand their actions, even well-intended ones, can put the entire company at risk. Security teams can run tests to see if training is effective and people are less tempted to click a ransomware-laden link.
Finally, security posture should be emphasized from the beginning. Human resources, often responsible for employee onboarding, should begin enforcing how paramount good security practices are as soon as that person accepts their offer.
Security cannot be overlooked, from both a technology and training standpoint. Education is the key to imparting that knowledge. By increasing the security posture organization-wide, and with more employees being aware and vigilant, the strain placed on an already short-staffed security team can also be alleviated.