Cybersecurity professionals are both in demand and in short supply as the much-discussed cyber-skills gap continues to widen and impact the industry. As a result, attention and efforts have turned to better and more effective strategies for training the next generation of cybersecurity pros.
Circadence is a creator of cybersecurity education and training platforms designed to do just that – but with a new and different twist.
The company builds its training platforms in a gamified fashion, providing hands-on experiences incorporating missions, battles and real-life scenarios that recreate the types of situations that cybersecurity professionals are faced when defending real cyber-attacks. The aim is to address existing and emerging customer needs across cyber-training and assessment, content development, event scheduling and operational tools for a lifetime of cyber-preparedness.
Infosecurity recently spoke to Circadence CEO Mike Moniz about current cybersecurity training strategies and what he thinks the future might have in store.
How would you rate the general standard of cybersecurity training methods in 2019?
I absolutely believe that we can do better to improve the general standard of cybersecurity training. Many organizations still rely on expensive and non-scalable traditional classroom training, often passively delivered via PowerPoint or video. This type of training is difficult to update and simply can’t keep up with the rapidly evolving threat landscape. In addition, this type of training is difficult to customize to suit different learning styles such as visual learners, autodidactic and firsthand learners. The good news is that we have tremendous opportunity in the industry to use technology to facilitate cyber-training in ways that are stimulating, memorable and more hands-on.
Is enough focus and spend currently dedicated to cybersecurity training efforts?
In my experience, the issue isn’t the gross spend on enterprise cybersecurity training efforts, it’s the efficiency of the enterprise cyber-training dollars spent. We should be allocating cyber-training budgets in a smarter way – in a way that allows people to receive better learning outcomes through more tailored experiences that matches their work roles and work environments.
Frankly, a lot of investment is placed in areas that are not relevant or advantageous to what a cybersecurity professional needs to defend the frontlines. My vision is that every dollar spent on cyber-education should go directly back into cyber-learning. Right now, the majority goes back into the classroom, the unscalable infrastructure, the instructors and dated curriculums rather than preparing the worker to face escalating global threat actors.
Continued learning is another area that needs more attention. The more targeted we can make the cyber-professional’s experience, the better the outcome and retention they’ll have – and you don’t need massive budgets to do that. You need training approaches that adapt to different learning styles and are readily accessible. To that end, you don’t need to double your budget to double your outcomes.
Fortunately, cloud technology and Circadence’s immersive cyber-ranges are really changing traditional cyber-training approaches for the better, making learning more relevant and applicable in the workplace.
“Fostering creativity within cyber-training allows us to visualize and capture an idea or solution on a hyper-scalable”
What factors are crucial when it comes to implementing successful and effective security trainings?
- Alignment: cyber-training needs to be better aligned to specific learning outcomes and business objectives. Professionals should understand the why behind a training exercise, how it advances their organization’s security posture and how it can enhance their own professional development. These tools need to be representative of and relevant to your industry, your enterprise, your environment and your employees.
- Measurable: cyber-training must be measurable and applicable to your enterprise and industry. The learning needs to be aligned with the tools they are using day-to-day in the workplace. You should be able to engage with the latest kinds of threats in your training environment, to make it as ‘real’ as possible so you are training as you would fight on the frontlines.
- Engage in persistent learning: persistent and enduring cyber-training is imperative. We need to get away from the notion of persistent periodic cyber-education and training. We need uninterrupted access to developing new cyber-skills anytime, anywhere. Much of that can be achieved in cloud-based range training, accessible on a browser. Skills need to be fresh and refreshed often and continuous learning is the way to get there.
- Adaptable: the training needs to be relevant and adaptable to a professional’s learning style. You need to have a mix of audio, text and visual learning options to accommodate those preferences. Learners also need to engage in training exercises both individually and in teams to get a holistic, well-rounded experience. This means, we need complex learning environments that match the complex landscape.
- Modeling a Framework: NIST’s NICE Cybersecurity Workforce Framework is a great resource for organizations to baseline current workforce cyber-competencies, embolden strengths and harden weaknesses. From there, an organization can take this information and pave a clear learning path for their workforce that is specific to both work-role and the threat landscape to see what roles are missing, who is really performing and how to upskill the workforce.
How important is creativity when it comes to cybersecurity training?
Every day, hackers engineer new capabilities to determine how to penetrate a specific environment – and that requires creativity. To get ahead of this threat, the next generation of cyber-training must have the freedom to allow for smarter and more creative answers.
Gamification is being used to meet hacker creativity head-on and is one more tool to help maximize the cyber-training investment. Gamification uses game-like elements in an exercise (like badges and rankings, points and leaderboards) to encourage learning and engagement. It creates an enduring learning experience that gives security leaders incredible insight into how their team is performing, and trainees develop a sense of creativity because they must solve problems in unique ways and think critically about each move they make in their exercise.
The more we can tap into people’s creative thinking using gamification, the faster we can solve today’s cyber-threats. Fostering creativity within cyber-training allows us to visualize and capture an idea or solution on a hyper-scalable level too, so that we can solve complex problems across large communities with a vast group of people.
“When we have scalable cyber-training and can develop talent within, the future of cyber-training is bright”
How do you envision security training evolving over the next year or so?
The need to scale and adapt to an increasingly pervasive cloud/hybrid-cloud model will drive the evolution of cybersecurity training. The cloud provides us the opportunity to be more secure and adaptable; however, in a space of numerous and complex boundaries, the cloud security suites and workforce will need to adapt accordingly. Fortunately, with the benefits of ubiquitous cloud computing we will see persistent learning environments that are hyper-scalable, allowing many industries to learn and adapt together, and defeat evolving threats together with an agility unachievable in previous paradigms. We’ll see more opportunities to leverage the augmentation of machine learning both in terms of teaching and offloading some of those mundane tasks with AI. Costs for training will go down, fidelity will go up, and training content will be more accessible.
Cyber-training will be more adaptive, persistent, scalable and accessible as technology evolves and spending is directed toward learning outcomes. This will support the next generation of cyber-professionals in middle and high school, who will be able to access the same tools the professional cyber-workforce uses. That’s significant in helping the industry minimize the skills gap.
Cyber-ranges will be the platform of choice of training because it will facilitate community collaboration more than ever before. These environments will include user-generated content that matches all knowledge, skill and ability levels. When we have scalable cyber-training and can develop talent within, the future of cyber-training is bright.