As a former CISO who talks to a lot of company officials, board members, and other cybersecurity leaders, I'll let you in on what keeps them up at night. Actually, that's one of the phrases that drives me the most insane. Here is what they are really concerned about.
It's not what you'd think or what we say when asked for an official response — not Pirate Panda, Mummy Spider or any other funny advanced persistent threat names; or even any of the more mundane issues like patching or access control that keep us from making real progress in protecting our companies.
It's people. It's the team members that we trust and depend on to actually do the front-line work of protecting the enterprise. Sometimes they are identifying risks, installing or patching systems, responding to an incident or, often, many of the above at once. Even in small firms people who deploy apps do not handle incidents.
Like any C-suite executive, CISOs worry about attracting and retaining talent, preparing the workforce for the challenges facing the business, and creating a culture that embraces diversity to drive innovation. Those three things matter more than anything else.
When you look at it a bit closer though, that's where things start to really come into focus and raise the insomnia-inducing questions:
- Have we prepared them to be ready for the multitude of things they are doing to deal with?
- Do they trust each other? Do they trust me? Do I trust them?
- How can I be a part of the solution to both better equip them and to help them build trust as a team?
- Have I invested in them?
I see a lot of companies that invest in technology, AI this or ML that, but they lack the fundamental foundation of a solid team. They haven't invested in their people. They failed to earn and build trust. I believe that one of the best ways to build trust is to walk a mile in someone else's shoes, to experience their day-by-day and to be trained on how to help them.
I often think of things in a really basic sense of input and output. Training, and especially cross-training, is insanely powerful when team members are able to experience, train and work together with team members where they are either an upstream supplier or a downstream consumer. For example, on one of my SOC teams, I built and trained my SOC analysts to deliver exactly what the network and endpoint control owners need for each incident containment playbook. The dividend was a 40% reduction in MTR (mean-time to respond).
Not only are you creating a more robust and balanced team, you're creating a team that is able to anticipate what the other person may need. You're expanding their field of expertise and helping to foster relationships so they can help each other.
By investing in training, and specifically cross training, you are infusing the DNA of your organization with one of the most powerful force-multipliers out there.
Organizations will continue to shift and adjust to emerging technologies and market demands. One of the best things we as leaders can do is to continually train our staff so that when it's necessary to shift they are ready.
Here are five steps for enterprises to take:
- Find the right training environment for a hands-on ongoing training program and commit to it. This is essential unless you want to lay people off, have a revolving door for talent, or have people sitting on their hands during an incident.
- Stop wasting time and money sending people to costly online and classroom training that only contributes to the misguided view that training is something to be scheduled.
- Assess who and what you have to work with. Have each team member complete assessments to discover their hard and soft skills. You can do this with individual training assessments, or for a team in an online cyber range and learn even more about how your team performs under the stress of an attack. This is where you learn where the gaps are, not just in skills but in communications and collaboration.
- Build a cross-training program. For staffing shortages, the team's most reliable players can cross train to become subject matter experts to backup existing staff. Extending training to web application developers, DevOps, network, and IT specialists will help provide the reserves and reinforcements you need when trouble strikes.
- With work-from-home likely to be here to stay, it makes sense to cross train network security or other IT staff whose workloads may have dropped and point them toward building endpoint security, administering VPN systems, and handling encryption configuration and threat hunting.
Yes, technology is great. Without the people, though, it misses the mark. Without a well balanced and trained team, it usually fails to reach its potential and sometimes fails completely.
I once took over a team that had never received management support for professional training. Soon after I was on board, we made a major pivot in our technology stack. The team was unable to support the new technology because they were decades behind in security thinking. It wasn't an age thing; it was a readiness thing. It was a training thing. We had to make some hard choices and people left the company because management failed them. That was one of the most profound realizations for me.
By investing in people, at the right time, with the right training, I could help ready them for a future where I wasn't able to protect them as their leader. It's why I'm so passionate about it now.
- Don't Make Security Training a 'One-and-Done'
- You Gotta Reach 'Em to Teach 'Em
- How Behavioral Data Shaped a Security Training Makeover
- 5 New InfoSec Job Training Trends: What We're Studying During COVID-19
Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for detail on conference information and to register.