It’s easy to understand that if the technology market moves very fast, the security segments of it move even faster. This is the very definition of a dynamic environment—new dangers appear on the threat matrix every day, which means the ground is always shifting. It’s also easy to see how good security technology meets this challenge by constantly updating itself to combat new incoming threats.
But here’s where it gets murky: Can we as individuals keep pace with the threats? And if we can’t, can even the most sophisticated tools ward off all dangers? No, we can’t, and that’s a big reason why the bad guys are usually ahead. That’s where CISO training comes in to ensure we have trained professionals to manage threats.
Think of it as the human factor. The tools keep getting better, but inside this swirling vortex of innovation and sophistication, we as people—consumers, business professionals, and security specialists—have to scramble to understand new dangers and newer defenses. Even for tech teams dedicated to protecting the network, it’s a constant nightmare. For the rest of us, the reality is that while the threat matrix changes by the hour, IT security sessions take place maybe a few times a year, and it’s hard to even fit those into a busy schedule.
But it’s not only a question of schedules and availability. Even security professionals typically don’t get real-world, hands-on experience, and what they do learn has been thorough multiple approvals, which means it’s behind the times.
Meanwhile, business professionals live and work within environments that are immersive, multimedia and—let’s admit it—often fun. We switch from market analyses and business spreadsheets to personal emails and video games without a thought, just as work-specific and personal apps reside in peaceful co-existence inside our mobile devices. In this dynamic and rich-media digital universe, the idea of attending classroom sessions (even online) to learn about new security threats is boring, mostly unproductive and hopelessly obsolete.
So what will it take to bring cybersecurity training into the digital age and better keep pace with emerging dangers? These eWEEK Data Points are brought to us by James Hadley, founder and CEO of Immersive Labs, a former GCHQ researcher who realized during summer school programs that passive, classroom-based learning doesn’t suit the nature and pace of cybersecurity.
Data Point No. 1: Bring Learning Methods Up to Date
Classrooms with desks organized in rows date back to the Industrial Revolution, and it was done to ease passive learning—everyone goes only as fast as the slowest learner. In today’s world, we encourage facilitation over instruction, and that’s enhanced with individual engagement rather than group sessions.
Data Point No. 2: Customize the Content
We operate is an environment of convenience—we buy through a personal shopping cart, apps we download and display the apps of our choice; we prioritize daily tasks, etc. We have individual tastes, skills, needs and preferences, and the digital universe is tailor made for those factors. The days of generic, all-purpose education are gone. Learning tools that have a high level of flexibility—learn when we want, in the digital environment we choose, go as fast or as slow as we like—will be much more welcome. Log on after midnight, create an interactive world from your favorite period in history, set your own speed, and then adjust as necessary? Now that’s learning.
Data Point No. 3: Make It Fun
It’s hard enough getting business users to acquire skills that don’t tie directly to their duties, even if they acknowledge that security is everyone’s responsibility. In particular, a generation of tech-savvy professionals who came of age with 3D and VR tools, interactive gaming and mobile apps for everything needs training to be immersive, relevant, dynamic, awash in rich media and just plain fun. Offering dynamic cyberlearning that builds on those elements makes a huge difference.
Data Point No. 4: Acknowledge the Need—The Need for Speed
Timing is everything: The best defenses today could be grossly inadequate tomorrow. Hackers set the market—they have the luxury of innovating at their own pace, in areas they choose, pursuing the vulnerabilities they identify. On the flip side, many tech security learning programs build on information that is months old and outdated. IT security needs to innovate as fast as the criminals.
Data Point No. 5: Live in the Real World
Attacks don’t occur in a vacuum—every business operates in different environments and must cope with different areas of vulnerability. That’s why IT security cyberlearning programs should feature relatable threat situations and real-world attack techniques and around emerging or zero-day threats, all the way from phishing attempts to reverse-engineering malware. An academic approach won’t have the same impact.
Data Point No. 6: Made to Measure
It’s an unfortunate aspect of cybersecurity expenditures that it’s not always possible to measure effectiveness, at least not of particular tools or strategies. There hasn’t been successful breach, so the defenses worked. However, an optimal security strategy mandates the ability to identify weak spots, and then offer training to cover for those weaknesses. This is an ongoing process—again, the new threats we face now might be very different from those that arrived last night. The best security strategy identifies vulnerabilities early, sets up training programs constantly and measures improvements in real time.