Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Anthony Johnson
Anthony Johnson
Connect Directly
E-Mail vvv

Cybersecurity Leaders: Invest In Your People

Training, especially cross-training, is insanely powerful when team members are able to experience, train, and work together. It also builds trust.

As a former CISO who talks to a lot of company officials, board members, and other cybersecurity leaders, I'll let you in on what keeps them up at night. Actually, that's one of the phrases that drives me the most insane. Here is what they are really concerned about.

It's not what you'd think or what we say when asked for an official response — not Pirate Panda, Mummy Spider or any other funny advanced persistent threat names; or even any of the more mundane issues like patching or access control that keep us from making real progress in protecting our companies.

It's people. It's the team members that we trust and depend on to actually do the front-line work of protecting the enterprise. Sometimes they are identifying risks, installing or patching systems, responding to an incident or, often, many of the above at once. Even in small firms people who deploy apps do not handle incidents.

Like any C-suite executive, CISOs worry about attracting and retaining talent, preparing the workforce for the challenges facing the business, and creating a culture that embraces diversity to drive innovation. Those three things matter more than anything else.

When you look at it a bit closer though, that's where things start to really come into focus and raise the insomnia-inducing questions:

  • Have we prepared them to be ready for the multitude of things they are doing to deal with?
  • Do they trust each other? Do they trust me? Do I trust them?
  • How can I be a part of the solution to both better equip them and to help them build trust as a team?
  • Have I invested in them?

I see a lot of companies that invest in technology, AI this or ML that, but they lack the fundamental foundation of a solid team. They haven't invested in their people. They failed to earn and build trust. I believe that one of the best ways to build trust is to walk a mile in someone else's shoes, to experience their day-by-day and to be trained on how to help them.

I often think of things in a really basic sense of input and output. Training, and especially cross-training, is insanely powerful when team members are able to experience, train and work together with team members where they are either an upstream supplier or a downstream consumer. For example, on one of my SOC teams, I built and trained my SOC analysts to deliver exactly what the network and endpoint control owners need for each incident containment playbook. The dividend was a 40% reduction in MTR (mean-time to respond).

Not only are you creating a more robust and balanced team, you're creating a team that is able to anticipate what the other person may need. You're expanding their field of expertise and helping to foster relationships so they can help each other. 

By investing in training, and specifically cross training, you are infusing the DNA of your organization with one of the most powerful force-multipliers out there. 

Organizations will continue to shift and adjust to emerging technologies and market demands. One of the best things we as leaders can do is to continually train our staff so that when it's necessary to shift they are ready.

Here are five steps for enterprises to take:

  • Find the right training environment for a hands-on ongoing training program and commit to it. This is essential unless you want to lay people off, have a revolving door for talent, or have people sitting on their hands during an incident.
  • Stop wasting time and money sending people to costly online and classroom training that only contributes to the misguided view that training is something to be scheduled.
  • Assess who and what you have to work with. Have each team member complete assessments to discover their hard and soft skills. You can do this with individual training assessments, or for a team in an online cyber range and learn even more about how your team performs under the stress of an attack. This is where you learn where the gaps are, not just in skills but in communications and collaboration.
  • Build a cross-training program. For staffing shortages, the team's most reliable players can cross train to become subject matter experts to backup existing staff. Extending training to web application developers, DevOps, network, and IT specialists will help provide the reserves and reinforcements you need when trouble strikes.
  • With work-from-home likely to be here to stay, it makes sense to cross train network security or other IT staff whose workloads may have dropped and point them toward building endpoint security, administering VPN systems, and handling encryption configuration and threat hunting.

Yes, technology is great. Without the people, though, it misses the mark. Without a well balanced and trained team, it usually fails to reach its potential and sometimes fails completely. 

I once took over a team that had never received management support for professional training. Soon after I was on board, we made a major pivot in our technology stack. The team was unable to support the new technology because they were  decades behind in security thinking. It wasn't an age thing; it was a readiness thing. It was a training thing. We had to make some hard choices and people left the company because management failed them. That was one of the most profound realizations for me. 

By investing in people, at the right time, with the right training, I could help ready them for a future where I wasn't able to protect them as their leader. It's why I'm so passionate about it now.

Related Content:



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for detail on conference information and to register.

Anthony Johnson is a Managing Partner at Delve Risk, a boutique technology consulting firm specializing in bringing next-generation methodologies and approaches to cybersecurity and risk management problems. With more than 20 years of experience in cybersecurity and C-suite ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.