The endless cat-and-mouse struggle between defenders and attackers is placing pressure on organizations of all sizes to continually increase the skills of their security teams. Meanwhile, the shortage of and competition for skilled security professionals makes hiring new staff extremely difficult. Developing internal resources is often a better alternative.
Regardless of the maturity level of your security team, following this four-step plan that spans assessment and continuous skills development will enable you to improve your cyber-defense readiness across the board.
Step 1: Assess
To create a useful assessment, begin by challenging security staff with exercises that force them to take action or perform a task, as opposed to just asking them to answer multiple choice questions.
People must be placed in a situation that forces them to think and act, not just guess, and that enables managers to assess the participants' ability to make tough decisions. The assessment tools should not contain any hints to solutions but force people to reveal whether they know something about a subject matter or not.
The assessment should not bear the stamp of a pass/fail mentality, but should be nuanced, emphasizing that different people have different degrees of knowledge about a subject. For example, some people can make their way through a few steps of a challenge but get stuck in the middle or near the end. Remember, the purpose of the assessment is to assess, not to pass or fail participants.
Step 2: Fill Skills Gaps
The best starting point is to begin with the basic skills needed for different topics. For example, in detecting ransomware, begin by laying out the typical indicators of ransomware — exploring the common artifacts created when an infection happens.
From there, expand the knowledge base by examining specific forms of ransomware, such as WannaCry — noting all similarities among the forms but also promoting critical thinking to distinguish unique strains.
The plan should be to equip staff with the basics in ransomware understanding, then walk them through guided exercises that build on their knowledge. Step by step, the goal is to educate learners on very advanced topics, involving issues that are new and lacking patterns or written rules. This will help develop expertise so that staffers can detect new infections they have not seen before.
Step 3: Validate Progress
This centers around putting individuals in team exercises where they need to address a live threat in a real-world or realistic situation. It includes detecting, responding to, and, where possible, mitigating a threat. At the very least, the team should be tasked with providing guidance for mitigation.
The team element is vital as staffers are always working alongside others in the real world. That means collaborating with peers who have higher or lower skill levels, as well as with team members who may make mistakes under pressure.
Ideally, learners should be placed in a scenario that allows evaluators to assess how they respond in a stressful setting. The assessment should focus on two elements: technical competency and ability to work in a team.
Step 4: Continuous Development
The core concept here is the need to identify new competencies for individuals and groups, and to continuously refine, elevate, and validate their skills.
To achieve this goal, measure your team's defense readiness, gauging how it performs in exercises involving threats that have varying levels of sophistication. In addition, use an index or metric to assess and rank where learners are in terms of their skill set, so you can keep moving them up the ladder of readiness.
Making time is probably the biggest obstacle in developing cyber skills, because everybody is busy. However, team members need to continuously improve to keep up with new threats. Organizations need to invest in professional development — and to actually make time for it.
Security leaders often struggle to set up and develop training programs because most of them lack any experience in doing so. Anything to do with training is probably not in their job descriptions. However, external resources are a good place to start when developing a training curriculum.
Training content must be challenging and relevant, contain hands-on exercises, and use real tools. Blog posts, presentations, and articles are useful, but hands-on experience is the best way to acquire new skills.
Developing cyber skills is a continuous journey of assessment, real-world training, and validation, not a destination.