Cybersecurity experts often complain that organizations see training as a one-and-done exercise, a chore to tick a box in a form required by corporate governance. But to keep up with today's threat environment, your security staff must be always learning.
Cyber threats are constantly shifting, and security operations center (SOC) teams need to constantly adapt their defensive measures and techniques so that they're ready when attackers change their approach.
That's why many companies are shifting to a new model of continuous learning. To make behavior change happen among your cyber defenders, training needs to be repeated often and with various technologies. This allows learners to acquire new skills to keep pace with the changing threats they face.
But changing behaviors — the ultimate goal of most security training — is a big ask, especially when staff is stretched and time-pressed. More than two-thirds of cybersecurity professionals say they want to keep up with their training, but only 17% find time in their schedules.
The challenges to cybersecurity training are many: time, budgets, management buy-in, and more. To be truly effective, a continuous education program needs to address the following dynamics.
Humans have a limited capacity to absorb information, so training programs need to ensure that the right knowledge sticks. Traditional training methods that rely on memorization can cover a lot of material, but ensuring it is retained by the learner is another story.
Some programs give learning a boost with practical exercises such as CTF games — named after capture-the-flag contests — where learners work in a virtual platform set up for the exercise. These games don't teach how to build or manage secure systems and don't really change behavior, but they help defenders understand how hackers operate, so they can better understand how attacks will develop. The main purpose of CTF games is to reinforce learning, not replace it.
Most cybersecurity professionals find themselves too busy to keep up with training on their own, so a software solution that works around their needs and knowledge level should optimize the training content to fit them, saving time and effort.
Adaptive learning systems use real-time learning tracking and continuous assessments to create a learning path that's more efficient than a one-size solution. Learners can advance to where they need to be, not waste time relearning what they already know.
Many of these programs benefit from using data-driven approaches and machine learning to improve the fine-tuning process. In order not to lose the motivation in challenging situations, students need to get guidance and hints at the appropriate time.
Most rote learning is not engaging enough to be meaningful. Students often don't find regular online content to be very useful to their daily tasks, especially if it's just a digital textbook with no interactive elements.
Learner engagement is the best way to encourage retention, and hands-on learning is the best way to ensure both knowledge retention and behavior change. Real-life content based on actual cases and simulations that are not just pass/fail quizzes create a challenge for students. Exercises and games that simulate their company's environment with learning modules built around the company's vendors and integrations can also build knowledge learners can port easily into their daily work.
Training programs should align to the roles of your teams to ensure that relevant skills are developed. Each training module should have a learning outcome, and each skill should be measured and tested to gauge whether that learning outcome was achieved.
Many organizations have described the role levels for SOC1 and SOC2 or benchmark to standards such as NIST-NICE that describe jobs, knowledge, skills, and abilities. This can become the basis for building modules or learning paths to allow the organization to benchmark the program against those standards and jump-start training.
Organizations are embracing skills mapping, the systematic process of measuring and improving critical skills within an organization. Skills mapping allows for new levels of productivity and profitability.
Skills mapping closes the circle by identifying and targeting skills gaps, potential areas for growth, and areas that are missing based on the company's values and mission. Some common ways to measure this are post-tests or hands-on assignments that demonstrate a new skill.
The best training programs measure real achievement, instead of measuring the method that the learner uses to achieve it. For example, in a scenario simulating an attack on the system, the learner needs to protect the system while emulated users are still using it, so simply taking down the system would not pass this test. Learners can execute various defense methods and solutions to keep the system going: A developer can fix the program code so that the system works, while a security person can block attacks by installing an intrusion detection system.
The ultimate goal is to create a learning environment that keeps students interested and challenged at all times. Call it addictive learning.
[Editor's note: The author's company is one of a number of companies that offer cybersecurity training services.]