Just as sports teams practice and train for upcoming games, your organization should be constantly and consistently practicing and training for cybersecurity events, building the muscles and skills they’ll need to respond when a cyber-attack inevitably happens. Planning and scheduling training and exercise is crucial because it allows teams to assess their performance and readiness. Team exercises should be done regularly and with the same tools, techniques, and procedures used in daily operations, and simulations should reflect real-world scenarios that teammates are likely to encounter in their daily work. This helps to build confidence in responding to specific threats and ensures that individuals are prepared to act accordingly. After each exercise, it’s important to provide feedback and discuss what worked well and what could be improved. Helping teammates learn from their mistakes and improve their responses is one of the most valuable takeaways from any training event.
In the movie Any Given Sunday, Al Pacino gives a memorable speech to his losing football team. The speech highlights a critical lesson for teams: Trust in themselves and their teammates is critical for success. Just as elite sports teams depend on trust among players to perform at their best, cybersecurity relies on trust in computers, people, and organizations. We trust computers to perform reliably and consistently, just as we trust our teammates to excel in their organizational roles. As with sports, building trust within a cybersecurity team is essential for success. By emphasizing reliable and repeatable behavior, individuals and teams can develop the confidence needed to perform effectively in any situation they encounter.
Our expertise at the CERT Division of Carnegie Mellon’s Software Engineering Institute is in Cyber Workforce Development. Our work helps organizations acquire the skills they need as a team to combat cyber threats. In many ways, business leaders function as coaches, helping employees develop crucial skills to make the organization successful. Just as sports teams must train and practice to build trust and cohesion, businesses must do so to ensure high productivity in an evolving workplace. We believe that individual training and team exercises can help create a clear business advantage. Through repetitive drills and practice, individual players can become subject matter experts on particular tools or techniques, while teams can collectively respond in the best possible manner to any scenario they’re likely to confront. Your organization should be constantly and consistently practicing and training for cybersecurity events, building the muscles and skills they’ll need to respond when an attack inevitably occurs.
Identify Key Cybersecurity Skills for Your Organization
Just as coaches defines the style of play for their teams, developing an effective cybersecurity training program requires identifying the specific skills and knowledge needed to confront cyber threats in a way that aligns with the organization’s goals and objectives. There are several ways to do so.
- Conduct a skills-gap analysis by comparing your workforce’s skills to those needed to confront cyber threats. The National Institute of Standards and Technology’s (NIST’s) NICE Cybersecurity Workforce Framework is a helpful resource for identifying the skills and knowledge needed for an effective cybersecurity team. Reviewing your security policies, procedures, and protocols is another good starting point.
- Review industry standards with organizations such as NIST and CISA to ensure that your organization is aligned with the best practices in your industry, and incorporate those practices into your cybersecurity training program. For example, there are special controls for organizations handling certain kinds of data, such as health care data and personal identifiable information, so certain industries need to adhere to regulations such as Personal Identifiable Information (PII) or the Health Insurance Portability and Accountability Act (HIPPA).
- Engage with departments and leaders within your organization to understand their specific cybersecurity concerns and challenges. For example, a global sales force must consider its use of data in light of legislation such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Speaking to each department leader will provide insight into the specific training needs at all organizational levels.
Develop a Performance Improvement Plan to Meet Your Strategy
Once you have identified the skills and knowledge needed to combat cyber threats, the next step is to develop a comprehensive training and exercise program to improve them. Here are steps that can be taken to develop an effective program:
- Design simulations to cover a range of scenarios, including phishing, ransomware, and social-engineering attacks.
- Like blocking and tackling practice in football, begin with simple scenarios that focus on core concepts, and gradually increase the complexity of the scenarios. Focus on building skills and confidence before tackling more-difficult threats.
- Focus simulations on real-world scenarios that teammates are likely to encounter in their daily work. This helps to build confidence about responding to specific threats and ensures that individuals are prepared to act accordingly.
After each exercise, provide feedback and discuss what worked well and what could be improved. Helping teammates learn from their mistakes and improve their responses is one of the most valuable takeaways from any training event.
Execute an Ongoing Campaign of Effective Training and Exercises
Great athletes train regularly. Businesses must likewise prioritize ongoing skills development to remain competitive as technologies and cyber threats change rapidly. Here are some key considerations.
- Training and exercise budgets should not be sacrificed in cost-cutting measures. Investing in employee development delivers enormous value, and no company can afford to underestimate the long-term financial costs of a cyber breach.
- Planning and scheduling training and exercises is crucial; it allows teams to assess their performance. By regularly identifying areas for improvement, teams can plan and execute more effectively in the future. Additionally, taking the time to review and evaluate past performance can lead to more-informed decisions about which scenarios to exercise and which tools to use in future training sessions.
- Team exercises should be done regularly and with the same tools, techniques, and procedures used in daily operations to build useful muscle memory in real-world situations.
In his speech, Pacino says, “You find out life’s this game of inches; so is football.” So is cybersecurity. Every inch of progress counts. Today’s threats are more sophisticated and widespread than previous ones, and it’s not a question of if an organization will face a cyber-attack but when. That’s why it’s crucial for business leaders to prioritize cybersecurity training and exercise as a key component of their overall security stance. By identifying the specific skills and knowledge needed to effectively combat threats, planning and scheduling training and exercises, and engaging with key stakeholders to understand the specific training needs of their organization, businesses can build a stronger, more confident team. Investing in employee development through formal training programs and ongoing exercises can deliver enormous value and help businesses stay ahead of adversaries in the ever-changing cybersecurity landscape.