Trying to keep the cybersecurity playbook current might seem like mission impossible. New threats, risks and problems appear on a daily basis, while enterprise budgets remain painfully tight and skill shortages rampant. I believe one way to approach this challenge and increase your odds for success is to view cybersecurity training in much the same way NFL teams approach practices and games.
It's no secret that the most talented teams don't necessarily win every game. It's all the hard work, preparation and training that lays a foundation for game-day success. What football fan can forget Patriots coach Bill Belichick's famous statement after winning Super Bowl 51: "As great as today is, in all honesty, we're five weeks behind 30 teams in the league in preparing for the 2017 season."
In fact, observers often say that 90% of a team's success hinges on what happens between games in team meetings, strategy sessions and practices. When game day arrives, the team is mentally and physically prepared for whatever is tossed its way.
Yet, there's a perception in the corporate IT world that training draws time and energy away from the "real" work of implementing new technology, responding to events and ensuring business continuity. These are vitally important tasks, but rather than punting on training best practices, organizations should recognize that it's an integral part of an ongoing drive to the goal line.
Here are four rules that can help your organization reach the cybersecurity end zone:
Rule No. 1: Practice makes perfect.
It's an old and somewhat hackneyed saying, but it remains true: Practicing the right habits over and over etches thoughts into brain and muscle memory, whether it's a pass play, application security or a response to a suspicious email that could trigger ransomware. At some point, the play becomes almost instinctual.
In cybersecurity, however, instincts must be balanced with nuance, as different situations require slightly different responses. As a result, it's critical to teach key cybersecurity skills through hands-on repetition in a benign environment. A good starting point for training is to assess teams, understand skill and knowledge gaps, and provide targeted training that's appropriate for the role. It's also critical for team members to know their roles and understand how they fit into an overall cybersecurity initiative.
Rule No. 2: It's not how much you train; it's how well you train.
Practicing bad or ineffective habits accomplishes nothing. It fumbles away precious time and resources. Yet, it's also true that practicing more doesn't guarantee more wins. There's a clear limit to how much training can take place on and off the field. On a football team, overtraining can lead to injuries. On a cybersecurity team, it runs up costs, undermines productivity and causes burnout. In today's budget-conscious world, two things are critical:
• First, you must ensure that content matches the role and responsibility. A tight end isn't a quarterback, and a field-goal kicker isn't a lineman.
• Second, you have to tackle training efficiently. In practical terms, this might mean relying on everything from role-centric self-paced training modules to reserving seminars, workshops and certifications for the right people.
Rule No. 3: Know your players, and keep score of their progress.
Trainers and coaches understand that measuring performance and results is essential. Consequently, they use tools and technologies to gauge fitness, performance and potential gaps. At the annual NFL Combine, which assesses draft-eligible players, physical and mental tests help determine the future success of a player.
Cybersecurity leaders should think the same way about tracking skill sets. Certifications and degrees on a resume don't matter as much as practical hands-on capabilities. With the right organizational and individual metrics in place, it’s much easier to see what training is needed and by whom. It's also possible to keep the C-suite informed while adhering to regulatory and privacy requirements. Just like an NFL coach applies metrics and operational rigor to assess their new hires and current team, so should cyber leaders.
Rule No. 4: Cross-training makes you better.
Coaches and athletes understand the value of cross-training. It improves physical fitness and reduces injuries. In some cases, it also allows players to step in and perform in other roles, thus adding flexibility to the team.
Cybersecurity is similar. Employees who have a broader understanding of the cybersecurity playbook add to organization intelligence, agility and flexibility. A smart way to approach cybersecurity cross-training is to examine how your organization can enhance skills across cybersecurity teams as well as non-security staff. Winning organizations focus on developing skills and cross-training based on known weaknesses, process models, current and projected talent and expertise, and the technologies currently in play.
By focusing on a framework of continuous assessment and training — along with tools like realistic security emulation and attack simulations — CISOs and security managers can snap their organization's strengths and weaknesses into focus and, in the end, adopt a winning approach to cybersecurity. They can draft new talent, develop new strategies and achieve a level of teamwork that champions best practices.