It's time to rethink our approach to cybersecurity training
- By James Hadley
- Feb 20, 2019
Toward the end of 2018 the Office of Management and Budget announced an initiative aimed at finding the next generation of cyber talent within the federal government. Open to those already working within the government, the Federal Cybersecurity Reskilling Academy will see around 25 people partake in a three-month curriculum, which incorporates training designed to qualify participants in cyber analyst capabilities.
While the initiative is a creative (and worthy) attempt to satisfy the ever-growing skills gap, it risks falling short. Sure, it may tick boxes with HR, but it will not help build the effective security posture that countries and enterprises so desperately need. Ultimately, modern-day threats demand modern-day responses.
While the courses have been constructed by experts, the way they are taught is unlikely to equip participants with the tenacity and skills required in the current threat landscape. This is not to do with the program participants but the style of training, which is out of step with threats faced by modern-day threats security teams.
In fact, the basic principles of cyber training have changed little since their inception in the 1990s, when the first antivirus solutions were being built and hacking was a low priority for CEOs. As a result, cyber skills were learned passively. And this was okay; changes occurred far more slowly back then, so knowledge gained in a lesson could remain relevant for a year or more.
That may have worked at the time, but it certainly doesn't now.The industry has evolved -- not least cyber criminals, who are extremely innovative and typically the first adopters of new technology. On the other hand, cyber training has changed little.
The only way we will begin to satisfy the skills gap is by revolutionizing training methods. Top cybersecurity workers want to learn and not be taught; they are naturally inquisitive and learn best by breaking things apart before reassembling them. Curiosity and tenacity are traits that cannot simply be taught; they must be nurtured, which doesn't happen in the stale classroom environments that have been the status quo.
Cyber skills training must be a continuous process. Security workers need access to contemporary threat data as soon as it becomes available; hackers, after all, are creative and can unpick even the best technologies when they hit the market. We need to match this with IT staff honing their skills to face any new threats that emerge.
Not only will this improve security, it will provide them with the confidence to know that even if they do not recognize a threat, they can learn how to deal with it efficiently. Under the traditional system of learning, the mean time between an attack and ability to respond is huge -- potentially days, weeks, or months. In the modern world, where an attack can move incredibly fast, a few days could result in catastrophic damage to a company's reputation. By using new practices to reduce this gap we can greatly reduce the time it takes to identify and remove a threat.
The federal government is a serious target for nation-state attacks. To ensure it is fostering the best talent, it must engage it in a modern way. Large organizations are notoriously slow to react to new threats or changes in the market and the federal government is one of the largest organizations in the world. As such, it must worry less about satisfying HR requirements and give itself a fighting chance of responding to emerging threats.
James Hadley is CEO of Immersive Labs.