Why Cybersecurity Training Is Still Not a Priority
Understanding the importance of cybersecurity training in the people, process, and technology triad.
FireEye’s Cyber Trendscape 2020 survey, a project coordinated by former distinguished Garter Analyst, Eric Ouellet is a fascinating read. The report is interesting for a few reasons. Firstly, the survey demographics focused on over 800 director level and above security professionals from companies between 500 and 5000 employees instead of the normal focus on Fortune 500 organizations. This approach is enlightening as it gives the reader a much more accurate view of what broader industry security operations really look like. In the US there are 3500 large enterprises with more than 5000 employees and over 27,000 with between 500 and 5000 employees.
The second interesting fact is that, in the US, almost 50% of companies had a formal end-user security awareness program while virtually the same number (just less than 50%) had no or minimal formal training for their security team. Globally, over 40% of companies, had very limited or no formal training for their security team. Or put a different way, companies put about the same priority on end-user awareness (“do not click on the bad link in the email”) training as they did on making sure their cybersecurity pros were up to date and well-practiced at their jobs. If that seems somewhat illogical, let’s go one statistic further from Trendscape report – Globally 51% of organizations do not believe they are ready or would respond well to a cyberattack.
Additionally, nearly 29% of organizations that have cyberattack and breach response plans have not tested or updated their plans in 12 or more months. In other words, there are a whopping 80% of companies who are likely going to do poorly when attacked. A recent example being the RavnAir cyberattack, which canceled flights in the past week. RavnAir has just under 1000 employees and many attacks on companies of this size rarely make the headlines but still have significant and expensive impacts on business operations.
Everyone that has worked in security is aware of the people, process, and technology triad. The IT Governance Group out of the UK wrote a great blog about how this triad applies to security. Two paragraphs from this blog bear repeating:
“Every company’s specialized technical cybersecurity staff needs to be fully up to date with the latest skills and qualifications to ensure that appropriate controls, technologies, and practices are implemented to fight the latest cyber threats. Cyber security staff who don’t stay up to date affect the organization’s ability to mitigate and respond to cyber-attacks,” and
“Processes are key to the implementation of an effective cyber security strategy. Processes are crucial in defining how the organization’s activities, roles, and documentation are used to mitigate the risks to the organization’s information. Processes also need to be continually reviewed: cyber threats change quickly, and processes need to adapt with them. But processes are nothing if people are not trained to follow them correctly.”
IT Governance Group UK: Three pillars of cyber security
This graphic is also from the same IT Governance Group blog. Note the comment technology circle – “You can’t deploy technology without competent people, support processes, or an overall plan.”
So let’s bring all these interesting statistics and models together and try to understand the takeaways.
The priority and investment put on training your cybersecurity team should be higher (2 or 3X greater) than the priority and investment placed in employee security awareness training. Not that security awareness is unimportant, however. The Trendscape survey found that targeted phishing and social engineering type attacks remain significant, but as even the best employee training never stops 100% of these attacks, some will always make that bad click. Other attacks, malware, ransomware, and vulnerability exploits (especially XSS and SQL – listed as high risks in the report) have to be dealt with as well.
The core of an organizations defense requires the cybersecurity team to be prepared to defend against a huge range of attacks. It is time to reprioritize your training focus so that the cyber team can experience these vectors in a benign environment before faced with the real attack. At the very least, cybersecurity training for the technical team should receive equal resources to security awareness.
People, not technology are the most critical assets to your cyber defense efforts. Companies in the survey are spending an average of 7% of their IT budget on technology, and 76% of the companies that responded are increasing that budget in 2020. Yet, 51% of companies believe they will not successfully defend the next attack and 29% that have defensive plans have not touched or trained on them in over a year.
In 2020, move some of the planned technology spend to team training. Focus on operational training that prioritizes defending against relevant attack methods and vulnerability detection, and blow the dust off those old plans and use them in blue team exercises. This approach will allow the team to understand and execute them properly and update them to the ever-changing threat environment. The best way to get tangible results for cyber resilience is training and practice. Together, they prepare a team for success and they build confidence.
A dollar spent training your cybersecurity team carries a residual spend into your technology and the effectiveness of your processes. The reverse is not true with technology. Everyone in security is well aware (and the IT Governance Blog explains) that a dollar spent on technology requires additional technology training spend or the technology deployment will fail. Worse, much of the technology training is not operational cyber defense training, it is management and maintenance of the technology and takes away from building a cybersecurity team with strong skills.
In your 2020 planning, breakout a budget line item for ongoing operation training of your security team, and then develop a training plan that includes skills, technology, and process training as well as assessments and blue team exercises. That investment will offer a much greater return across your entire cybersecurity program that the next dollar you spend on another piece of technology.