From security awareness to security enablement: A new era of cyber
Security leaders have every reason to worry about the evolving threat landscape. As cyber threats proliferate (ranging from HTTP phishing to state-sponsored ransomware), the cyber talent and skills gap only grows wider.
As if this weren’t enough to keep CISOs and CIOs up at night, IT and security teams are less confident than ever in their organizations’ abilities to defend against the latest cyber attacks. Research shows at least 80 percent of IT, security, and other professionals don’t feel adequately prepared to defend their organizations. And at least 68 percent doubt their organizations’ readiness to thwart advanced threats.
So what does this mean for the future of cyber? While security awareness is an important aspect of posture, it no longer suffices alone -- especially in preparing IT and security teams against increasingly sophisticated threats. Rather than general end-user security training, we need to infuse specialized cyber skill sets into ALL of the IT and technical professionals within an enterprise.
The future of cyber is security enablement, where enterprise leaders enable their technical professionals with the training and skills they need to deploy best security practices throughout the entire technology lifecycles of enterprise applications, products, and services.
Here’s why security enablement is ushering in a new era of cyber.
Traditional Training Does Not Equip Professionals Fast Enough
Formal training often requires at least a week off work and is a huge cost to professionals, let alone organizations. On average, employees are likely to spend at least $1000 annually on training-related expenses. At least 60 percent of IT and security professionals report that they use personal time for security training.
And it’s not just the costs that attenuate the traditional training model. Given their volatile nature, you simply can’t build a curriculum against today’s threats and run the same class around it for the next three to four years. By the time an individual completes a training or educational program, their skills are irrelevant.
A key driver of security enablement is the subscription economy, where you can take online vocational training on a continual, on-demand, and more affordable basis. Technical professionals can quickly scale cyber skills relevant to their roles, i.e. a software developer taking advanced security training for Kubernetes.
Security Teams Need to Focus on Their Own Work
Too often, the burden of vetting products or educating co-workers on cyber best practices falls on security personnel. Rather than spending their time on essential activities, like responding to incidents, they’re serving as consultants for other IT professionals.
With security enablement, all technical professionals have the cyber skills and knowledge they need to incorporate security into all aspects of their roles and responsibilities. It means coders writing applications understand OWASP Top 10; DevOps professionals understand DevSecOps cycles; and administrators understand how to actually defend their networks.
Security teams can now focus on their core, mission-critical work while technical teams can reduce time-to-launch for products by baking in security from the beginning.
The Cyber Skills Gap Isn’t Going Away Anytime Soon
More than half of organizations continue to report a problematic shortage of cybersecurity skills. And the waning confidence of IT and security professionals only compounds this lingering problem. To address this shortage of qualified personnel, organizations need to invest more in the people they already have.
Security enablement gives all professionals within an enterprise, regardless of security or IT background, a viable career path in cybersecurity. Through modern training platforms and access to instructors who have been on the security frontlines, organizations can help their employees better navigate their professional journeys. This can bring ROI not only in reduced training costs but also in reduced turnover (an average of $15,000 per employee).
For example, a manager can put an employee on a personalized training pathway to become a security architect and quickly scale that same training to larger teams. Managers can easily track employee progress through automated reporting, and share with the CISO accordingly, ensuring all employees meet their training criteria, while guiding them towards their dream jobs.
Implementing Security Enablement
If your organization is ready to practicalize security enablement, look no further than the NIST National Initiative for Cybersecurity Education (NICE) Framework, which establishes a common lexicon for cybersecurity professionals, wherever they sit in an organization.
Ensure your training models and job specifications align with the NICE Framework across seven categories of common cybersecurity functions, 33 speciality areas, and 52 detailed work roles. Use the Framework to drill down on the specific knowledge, skills, and abilities needed to perform tasks in those roles.
In this new era of security enablement, organizations can build security muscle across all technical work roles – ensuring IT and security professionals are more confident and better prepared for today’s threats and well into the future.
Image credit: Matej Kastelic / Shutterstock
Ryan Corey is CEO and Co Founder of Cybrary. Cybrary is a venture-backed, crowdsourced cyber security and IT learning platform with over 2 million users.