They say once you learn to ride a bike, you never forget. When it comes to cybersecurity, that bike is constantly changing, and the learning never stops. Continuing education is important for many professions, but it’s essential that everyone in the organization receives training in cybersecurity.
Why everyone? Organizations can’t assume that all employees know or follow proper cyber hygiene in their personal lives. Allowing them to connect personal devices to the organization’s network or use company resources without training is taking a big chance with data, arguably one of the most valuable resources. Most hacks are the result of human error, and security leaders can train employees for that!
Growing a cybersecurity knowledge base within the organization does three things for the organization:
Strengthens the first line of defense against cyber threats
Helps embed a security mindset into the organization’s culture
Develops a security stance as a competitive advantage
To help get started, here are 10 of the best tips to help security executives and their organizations move the needle from cybersecurity zero to hero.
1. Determine cybersecurity needs. A deep assessment can help organizations consider all of the areas where cybersecurity is needed and how much of that need can be outsourced versus handled internally. Consider:
Strategic plans: What skills are needed to accomplish long-term goals?
Workforce: Does the organization have the talent needed? Will we hire up or train up?
Budget: What can be spent on training, certifications, and continuing education?
Competition: What will it take to keep on par with (or ahead of) others?
Culture: How is security viewed here? Is it part of how the mission is accomplished?
2. Establishing a training cadence. For cyber basics and awareness, companies should hold cybersecurity training every four to six months, including new schemes and tactics used by bad actors. Certification requirements range from classroom hours to continuing education credits to retesting.
3. Use free resources. Organizations don’t have to pay for basic training! There are some very good cybersecurity resources available free from the U.S. Government. Visit the Cybersecurity & Infrastructure Agency and the National Institute of Standards and Technology.
4. Get to the “why.” Cybersecurity training won’t “stick” unless employees understand their responsibilities and take their roles seriously. Ensure the training answers, “Why is cybersecurity important to our mission?”
5. Put employees to the test! Testing is a part of education. Send the fake emails, conduct hacking exercises, and role-play a simulated attack or ransom situation. Even employees who know they could be tested slip up — and these are teachable moments to slow down, trust their gut, and verify.
6. Align training and policies. Make sure to reiterate all the best practices covered in training by creating policies and rules — and putting them in the employee handbook. Guidelines for daily activities, as well as reporting requirements, help institutionalize cybersecurity practices.
7. Explain the HOW. Make a point to explain cybersecurity stance and monitoring techniques to employees. Not as a scare tactic (“We’re always watching!”) but rather to demonstrate the value of data, how seriously security is taken, and to help employees feel comfortable being a part of the solution.
8. Leverage experts. Many organizations have a wealth of cybersecurity knowledge within their IT and leadership staff that can be shared through lunch-and-learns, webinars, hands-on mentoring, and idea meetings. Internal instruction is good for teaching procedures, and tips and tricks learned in the trenches.
9. Reach to the top. Cybersecurity is an operational task that is part of every business. It’s the job of the security leader to know about it. Even if there are experts on staff or outside cybersecurity consultants who were hired, leaders should have a working knowledge of cybersecurity basics, the company’s posture, and areas where the organization faces risk — allowing the security leader to make informed decisions. If leaders are unsure or embarrassed to admit what they don’t know, they should brush up on the basics online and sit down with consultants to ask questions.
10. Keep the good going. Cybersecurity is not a “one and done” task. The landscape is changing so fast that it requires almost constant attention just to keep up. Training also takes time and repetition — especially for new skills or procedures. Fiercely protect the training budget, prioritize time for training, and create opportunities for everyone — from basic users to the pros — to apply what they have learned.
We occasionally hear from users who worry about investing in cybersecurity certifications and other marketable training. They don’t want to pay for training only to have employees take those skills to greener pastures. The advice is always the same: “You have to pay for expertise.” If organizations don’t increase compensation commensurate with skills, their people and training might walk out the door. However, in order to replace that person, they’ll have to increase their salary. Either way, they will pay.
By Derek Kernus